Linux.com weekly security advisory – February 17, 2006

41

Author: Kelley Greenman

Advisories were released this week for Libtasn1, kdegraphics, OpenSSH, PostgreSQL, ImageMagick, Xpdf, and several other packages. Distributors releasing advisories include Debian, Fedora, Gentoo, Mandriva, Red Hat, SUSE, and Ubuntu. FreeBSD did not issue advisories this week.

Libtasn1: arbitrary code execution vulnerability

This week, Gentoo and Mandriva issued advisories addressing Evgeny Legerov’s January 31st discovery of several instances of possible out-of-bounds access in the Distinguished Encoding Rules (DER) decoding and encoding schemes of Libtasn1. Libtasn1 is the standalone library written for GnuTLS handling of X.509 certificates. In GNU Shishi, Libtasn1 handles Kerberos packets. Reports indicate that the vulnerabilities have been found in Libtasn1 prior to 0.2.18 and in GnuTLS prior to 1.2.10.

The vulnerability can be triggered when a remote attacker sends an invalid X.509 certificate which can possibly crash the server process, and gain escalated privileges. With escalated privileges, a remote attacker could execute arbitrary code.

In his security advisory, Simon Josefsson invited further testing, providing a “self test that triggers three bugs in the old libtasn1.” Josefsson also released a diff comparing Libtasn1 0.2.17 and Libtasn1 0.2.18.

To fix this vulnerability, it’s necessary to change several internal function signatures. Since, the GnuTLS library also uses those functions, it’s also important to update the library.


Debian: noweb — insecure temporary file

February 13, 2006

Debian’s advisory states:

Javier Fernández-Sanguino Peña from the Debian Security

Audit project discovered that a script in noweb, a web like literate-programming

tool, creates a temporary file in an insecure fashion.


Debian: scponly — design error

February 13, 2006

Debian’s advisory states:

Max Vozeller discovered a vulnerability in scponly, a

utility to restrict user commands to scp and sftp, that could lead

to the execution of arbitrary commands as root. The system is only

vulnerable if the program scponlyc is installed setuid root and if

regular users have shell access to the machine.


Debian: kronolith — missing input sanitizing

February 14, 2006

Debian’s advisory states:

Johannes Greil of SEC Consult discovered several cross-site

scripting vulnerabilities in kronolith, the Horde calendar application.


Debian: Xpdf — buffer overflow

February 14, 2006

Debian’s advisory states:

SUSE researchers discovered heap overflow errors in xpdf,

the Portable Document Format (PDF) suite, that can allow attackers

to cause a denial of service by crashing the application or possibly

execute arbitrary code.


Debian: otrs — several vulnerabilities

February 15, 2006

Debian’s advisory states:

Several vulnerabilities have been discovered in otrs, the

Open Ticket Request System, that can be exploited remotely.


Debian: gpdf — buffer overflows

February 15, 2006

Debian’s advisory states:

SUSE researchers discovered heap overflow errors in xpdf,

the Portable Document Format (PDF) suite, which is also present in

gpdf, the GNOME version of the Portable Document Format viewer, and

which can allow attackers to cause a denial of service by crashing

the application or possibly execute arbitrary code.


Debian: nfs-user-server — buffer overflow

February 15, 2006

Debian’s advisory states:

Marcus Meissner discovered that attackers can trigger a

buffer overflow in the path handling code by creating or abusing existing

symlinks, which may lead to the execution of arbitrary code. This vulnerability

isn’t present in the kernel NFS server. This update includes a bugfix for

attribute handling of symlinks. This fix does not have security implications,

but at the time when this DSA was prepared it was already queued for the

next stable point release, so we decided to include it beforehand.


Debian: libast — buffer overflow

February 15, 2006

Debian’s advisory states:

Johnny Mast discovered a buffer overflow in libast, the

library of assorted spiffy things, that can lead to the execution of

arbitrary code. This library is used by eterm which is installed setgid

uid which leads to a vulnerability to alter the utmp file.


Debian: heimdal — several vulnerabilities

Feb 16, 2006

Debian’s advisory states:

Two vulnerabilities have been discovered in heimdal, a

free implementation of Kerberos 5.


Fedora: poppler — heap-based buffer overflow

February 10, 2006

Fedora’s advisory states:

Heap-based buffer overflow in Splash.cc in poppler, allows

attackers to cause a denial of service and possibly execute arbitrary code

via crafted splash images that produce certain values that exceed the

width or height of the associated bitmap.


Fedora: xpdf — heap based buffer overflow

February 10, 2006

Fedora’s advisory states:

xpdf contains a heap based buffer overflow in the splash

rasterizer engine that can crash kpdf or even execute arbitrary code.


Fedora: kdegraphics — heap based buffer overflow

February 10, 2006

Fedora’s advisory states:

kpdf, the KDE pdf viewer, shares code with xpdf. xpdf

contains a heap based buffer overflow in the splash rasterizer engine

that can crash kpdf or even execute arbitrary code.


Fedora: gnutls — vulnerability

February 10, 2006

Fedora’s advisory states:

Fix for CVE-2006-0645.

Gentoo: xpdf, poppler — heap overflow

February 12, 2006

Gentoo’s advisory states:

Xpdf and Poppler are vulnerable to a heap overflow

that may be exploited to execute arbitrary code.


Gentoo: kdegraphics, kpdf — heap based overflow

February 12, 2006

Gentoo’s advisory states:

KPdf includes vulnerable Xpdf code to handle PDF files,

making it vulnerable to the execution

of arbitrary code.


Gentoo: ImageMagick — format string vulnerability

February 13, 2006

Gentoo’s advisory states:

A vulnerability in ImageMagick allows attackers to

crash the application and potentially

execute arbitrary code.


Gentoo: sun-jdk, sun-jre-bin — applet privilege escalation

February 15, 2006

Gentoo’s advisory states:

Sun’s Java Development Kit (JDK) and Java Runtime

Environment (JRE) do not adequately constrain applets from privilege

escalation and arbitrary code execution.


Gentoo: libtasn1, gnutls — security flaw in DER decoding

February 16, 2006

Gentoo’s advisory states:

A flaw in the parsing of Distinguished Encoding Rules

(DER) has been discovered in libtasn1, potentially resulting in the

execution of arbitrary code.


Gentoo: bomberclone — buffer overflow

February 16, 2006

Gentoo’s advisory states:

BomberClone is vulnerable to a buffer overflow which

may lead to remote execution of arbitrary code.


Mandriva: ghostscript — several vulnerabilities

February 10, 2006

Mandriva’s advisory states:

A number of bugs have been corrected with this latest

ghostscript package including a fix when rendering imaged when

converting PostScript to PDF with ps2pdf, a crash when generating PDF

files with the pdfwrite device, several segfaults, a fix for vertical

japanese text, and a number of other fixes.


Mandriva: libtasn1 — out-of-bounds access vulnerability fix

February 13, 2006

Mandriva’s advisory states:

Evgeny Legerov discovered cases of possible out-of-bounds

access in the DER decoding schemes of libtasn1, when provided with invalid

input. This library is bundled with gnutls. The provided packages have

been patched to correct these issues.


Mandriva: postgresql — updated postgresql packages fix

various bugs

February 14, 2006

Mandriva’s advisory states:

Various bugs in the PostgreSQL 8.0.x branch have been

corrected with the latest 8.0.7 maintenance release which is being

provided for Mandriva Linux 2006 users.


Red Hat: gnutls — denial of service

February 10, 2006

Red Hat’s advisory states:

Updated gnutls packages that fix a security issue

are now available for Red Hat Enterprise Linux 4. (CVE-2006-0645)


Red Hat: kdegraphics — heap based buffer overflow

February 13, 2006

Red Hat’s advisory states:

Updated kdegraphics packages that resolve a security

issue in kpdf are now available. (CVE-2006-0301)


Red Hat: libpng — heap based buffer overflow

February 13, 2006

Red Hat’s advisory states:

Updated libpng packages that fix a security issue

are now available for Red Hat Enterprise Linux 4. (CVE-2006-0481)


Red Hat: xpdf — heap based buffer overflow

February 13, 2006

Red Hat’s advisory states:

An updated xpdf package that fixes a buffer overflow

security issue is now available. (CVE-2006-0301)


Red Hat: bzip2 — several vulnerabilities

February 13, 2006

Red Hat’s advisory states:

Updated bzip2 packages that fix multiple issues are

now available. (CVE-2005-0758, CVE-2005-0953, CVE-2005-1260)


Red Hat: ImageMagick — shell command injection flaw,

format string flaw

February 14, 2006

Red Hat’s advisory states:

Updated ImageMagick packages that fix two security

issues are now available. (CVE-2005-4601, CVE-2006-0082)


SUSE: binutils, kdelibs3, kdegraphics3, koffice, dia, lyx

— local privilege escalation

February 10, 2006

SUSE’s advisory states:

A SUSE specific patch to the GNU linker ‘ld’ removes

redundant RPATH and RUNPATH components when linking binaries. Due

to a bug in this routine ld occasionally left empty RPATH components.

When running a binary with empty RPATH components the dynamic linker

tries to load shared libraries from the current directory. By tricking

users into running an affected application in a directory that contains

a specially crafted shared library an attacker could execute arbitrary

code with the user id of the victim.


SUSE: openssh — remote code execution

February 14, 2006

SUSE’s advisory states:

A problem in the handling of scp in openssh could be

used to execute commands on remote hosts even using a scp-only

configuration.


Ubuntu: heimdal — privilege escalation flaw

February 09, 2006

Ubuntu’s advisory states:

A privilege escalation flaw has been found in the

heimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite

arbitrary files and gain ownership of them. (CVE-2006-0582)


Ubuntu: unzip — buffer overflow

February 13, 2006

Ubuntu’s advisory states:

A buffer overflow was discovered in the handling of file name

arguments. By tricking a user or automated system into processing a

specially crafted, excessively long file name with unzip, an attacker

could exploit this to execute arbitrary code with the user’s

privileges. (CVE-2005-4667)


Ubuntu: xpdf, poppler, kdegraphics — buffer overflow

February 13, 2006

Ubuntu’s advisory states:

The splash image handler in xpdf did not check the validity of

coordinates. By tricking a user into opening a specially crafted PDF

file, an attacker could exploit this to trigger a buffer overflow

which could lead to arbitrary code execution with the privileges of

the user. The poppler library and kpdf also contain xpdf code, and thus are

affected by the same vulnerability. (CVE-2006-0301)


Ubuntu: linux-source-2.6.12 — denial of service

February 13, 2006

Ubuntu’s advisory states:

Herbert Xu discovered a remote Denial of Service vulnerability

in the ICMP packet handler. In some situations a memory allocation was released

twice, which led to memory corruption. A remote attacker could exploit this to

crash the machine. (CVE-2006-0454)


Ubuntu: unzip — regression fix

February 15, 2006

Ubuntu’s advisory states:

USN-248-1 fixed a vulnerability in unzip. However, that

update inadvertently changed the field order in the contents listing

output, which broke unzip frontends like file-roller. The updated

packages fix this regression.


Ubuntu: libtasn — buffer overflow

February 16, 2006

Ubuntu’s advisory states:

Evgeny Legerov discovered a buffer overflow in the DER

format decoding function of the libtasn library. This library is mainly

used by the GNU TLS library; by sending a specially crafted X.509

certificate to a server which uses TLS encryption/authentication, a

remote attacker could exploit this to crash that server process and

possibly even execute arbitrary code with the privileges of that server.

(CVE-2006-0645)