Linux Advisory Watch – December 24, 2004

60

Author: Preston St. Pierre

Happy Holidays! This week, advisories were released for cscope, htget, a2ps,
ethereal, xzgv, debmake, xcdroast, udev, cups, postgresql, namazu, pam, samba,
glibc, krb5, php, gnumeric, abiword, libtiff, kfax, abcm2ps, phpMyAdmin, WordPress,
NASM, mplayer, mpg123, wget, urpmi, aspell, krb5, logcheck, samba, Linux kernel,
kerberos5, libxml, gd, XFree86, and nfs-utils. The distributors include Debian,
Fedora, Gentoo, Mandrake, NetBSD, Trustix, Red Hat, and SuSE.

State of Linux Security 2004

In 2004, security continued to be a major concern. The beginning of the
year was plagued with several kernel flaws and Linux vendor advisories
continue to be released at an ever-increasing rate. This year, we have
seen the reports touting Window’s security superiority, only to be
debunked by other security experts immediately after release. Also,
Guardian Digital launched the new LinuxSecurity.com, users continue to
be targeted by automated attacks, and the need for security awareness
and education continues to rise.

2004 started off on shaky ground with a flaw found in mremap(), a piece
of kernel code that controls virtual memory. It affected versions 2.2,
2.4, and 2.6. It was later discovered that the same vulnerability was
used to exploit several high-profile Linux development sites in
November 2003. Patches were released in early January by each of the
major distributions. The flaw was fixed in further kernel releases. In
February, a second mremap vulnerability was discovered by the Polish
security consulting firm ISec. The second mremap flaw was unrelated,
but just as serious as the first. In theory, it could result in a denial
of service or privilege escalation to root. Vendors responded much more
quickly in this second instance. Fixes for 2.4 and 2.6 were released
only in a matter of hours this second time. In March, Paul Starzetz
of ISec released proof-of-concept exploit code for the second mremap
flaw that was released in February. Several news sites failed to
accurately read the report released in March and reported that a
third kernel flaw as found. This was wrong, but it sparked a lot
of interest in rumors. Many were relieved to find out that the “third
vulnerability” was in fact a misinterpretation. It was beginning to
look like the “year of the kernel flaw,” but luckily things quieted
down in second quarter. The remaining portion of the year was scattered
with other kernel vulnerabilities, but non received as much press as
mremap. Another notable one was discovered in 2.6 last October. It was
claimed that the vulnerability could be used to shut down 2.6-based
systems remotely. It only affected those systems using iptables based
firewalls, because the flaw had to do with the way 2.6 handled firewall
logging. Patches were released and the problem was resolved.

   Debian
  Debian: cscope insecure temporary file
  17th, December, 2004

A vulnerability has been discovered in cscope, a program to
interactively examine C source code, which may allow local users to overwrite
files via a symlink attack.

http://www.linuxsecurity.com/content/view/117531

 
  Debian: htget arbitrary code execution
fix
  20th, December, 2004

“infamous41md” discovered a buffer overflow in htget, a file
grabber that will get files from HTTP servers. It is possible to overflow
a buffer and execute arbitrary code by accessing a malicious URL.

http://www.linuxsecurity.com/content/view/117568

 
  Debian: a2ps arbitrary command execution
fix
  20th, December, 2004

Rudolf Polzer discovered a vulnerability in a2ps, a converter
and pretty-printer for many formats to PostScript. The program did not
escape shell meta characters properly which could lead to the execution
of arbitrary commands as a privileged user if a2ps is installed as a printer
filter.

http://www.linuxsecurity.com/content/view/117569

 
  Debian: ethereal denial of service fix
  21st, December, 2004

Brian Caswell discovered that an improperly formatted SMB packet
could make ethereal hang and eat CPU endlessly.

http://www.linuxsecurity.com/content/view/117609

 
  Debian: xzgv arbitrary code execution
fix
  21st, December, 2004

Luke “infamous41md” discoverd multiple vulnerabilities in xzgv,
a picture viewer for X11 with a thumbnail-based selector. Remote exploitation
of an integer overflow vulnerability could allow the execution of arbitrary
code.

http://www.linuxsecurity.com/content/view/117610

 
  Debian: debmake insecure temporary directories
fix
  22nd, December, 2004

Javier Fern‡ndez-Sanguino Pe–a noticed that the debstd script
from debmake, a deprecated helper package for Debian packaging, created
temporary directories in an insecure manner. This can be exploited by
a malicious user to overwrite arbitrary files owned by the victim.

http://www.linuxsecurity.com/content/view/117630

 
   Fedora
  Fedora: selinux-policy-targeted-1.17.30-2.51
update
  16th, December, 2004

Fix problems with winbind, nscd, apache and others.

http://www.linuxsecurity.com/content/view/117525

 
  Fedora: xcdroast-0.98a15-8 update
  16th, December, 2004

fixed frozen progress bars with patch from Didier Heyden (bug
#134334)

http://www.linuxsecurity.com/content/view/117529

 
  Fedora: udev-039-10.FC3.6 update
  16th, December, 2004

fixed a case where reading /proc/ide/hd?/media returns EIO (bug
rh#142713) and added simple dvb rules

http://www.linuxsecurity.com/content/view/117530

 
  Fedora: cups-1.1.20-11.7 update
  17th, December, 2004

Two security problems were found by Bartlomiej Sieka. They concern
the lppasswd utility, which can be made to cause a denial of service,
and the hpgltops filter, which can be exploited to run code remotely as
the user “lp”. These problems have both been fixed.

http://www.linuxsecurity.com/content/view/117540

 
  Fedora: cups-1.1.22-0.rc1.8.1 update
  17th, December, 2004

Two security problems were found by Bartlomiej Sieka. They concern
the lppasswd utility, which can be made to cause a denial of service,
and the hpgltops filter, which can be exploited to run code remotely as
the user “lp”. These problems have both been fixed.

http://www.linuxsecurity.com/content/view/117541

 
  Fedora: postgresql-7.4.6-1.FC2.2 update
  17th, December, 2004

Update to PyGreSQL 3.6 (to fix bug #142711). Adjust a few file
permissions (bug #142431). Assign %{_libdir}/pgsql to base package instead
of -server (bug #74003)

http://www.linuxsecurity.com/content/view/117542

 
  Fedora: postgresql-7.4.6-1.FC3.2 update
  17th, December, 2004

Update to PyGreSQL 3.6 (to fix bug #142711). Adjust a few file
permissions (bug #142431). Assign %{_libdir}/pgsql to base package instead
of -server (bug #74003)

http://www.linuxsecurity.com/content/view/117543

 
  Fedora: namazu-2.0.14-0.FC2.0 update
  20th, December, 2004

Security fix release.

http://www.linuxsecurity.com/content/view/117604

 
  Fedora: namazu-2.0.14-0.FC3.0 update
  20th, December, 2004

Security fix release.

http://www.linuxsecurity.com/content/view/117605

 
  Fedora: pam-0.77-66.1 update
  20th, December, 2004

add argument to pam_console_apply to restrict its work to specified
files. #140451 parse passwd entries correctly and test for failure

http://www.linuxsecurity.com/content/view/117606

 
  Fedora: samba-3.0.10-1.fc2 update
  20th, December, 2004

New upstream release that closes CAN-2004-1154 bz#142544. Include
the -64bit patch from Nalin. This closes bz#142873. Update the -logfiles
patch to work with 3.0.10

http://www.linuxsecurity.com/content/view/117623

 
  Fedora: samba-3.0.10-1.fc3 update
  20th, December, 2004

New upstream release that closes CAN-2004-1154 bz#142544. Include
the -64bit patch from Nalin. This closes bz#142873. Update the -logfiles
patch to work with 3.0.10

http://www.linuxsecurity.com/content/view/117624

 
  Fedora: glibc-2.3.4-2.fc3 update
  21st, December, 2004

work around rpm bug some more, this time by copying iconvconfig
to iconvconfig.%{_target_cpu}.

http://www.linuxsecurity.com/content/view/117625

 
  Fedora: krb5-1.3.6-1 update
  21st, December, 2004

A heap based buffer overflow bug was found in the administration
library of Kerberos 1.3.5 and earlier. This overflow in the password history
handling code could allow an authenticated remote attacker to execute
commands on a realm’s master Kerberos KDC.

http://www.linuxsecurity.com/content/view/117626

 
  Fedora: krb5-1.3.6-2 update
  21st, December, 2004

A heap based buffer overflow bug was found in the administration
library of Kerberos 1.3.5 and earlier. This overflow in the password history
handling code could allow an authenticated remote attacker to execute
commands on a realm’s master Kerberos KDC.

http://www.linuxsecurity.com/content/view/117627

 
  Fedora: php-4.3.10-3.2 update
  21st, December, 2004

This update includes the latest release of PHP 4.3, including
fixes for security issues in the unserializer (CVE CAN-2004-1019) and
exif image parsing (CVE CAN-2004-1065).

http://www.linuxsecurity.com/content/view/117628

 
  Fedora: php-4.3.10-2.4 update
  21st, December, 2004

This update includes the latest release of PHP 4.3, including
fixes for security issues in the unserializer (CVE CAN-2004-1019), exif
image parsing (CVE CAN-2004-1065), and form upload parsing (CVE CAN-2004-0958
and CAN-2004-0959).

http://www.linuxsecurity.com/content/view/117629

 
  Fedora: gnumeric-1.2.13-10 update
  22nd, December, 2004

#rh133662# printer font fallback

http://www.linuxsecurity.com/content/view/117648

 
  Fedora: selinux-policy-targeted-1.17.30-2.58
update
  22nd, December, 2004

Several updates to fix problems with Apache, Squid, postgresql

http://www.linuxsecurity.com/content/view/117649

 
  Fedora: abiword-2.0.12-9 update
  22nd, December, 2004

RH#143180# backport fix for really stupid ownership of string
bug

http://www.linuxsecurity.com/content/view/117650

 
  Fedora: libtiff-3.5.7-21.fc2 update
  22nd, December, 2004

Fix several buffer overflow problems that could be used as an
exploit. Fixes the following security advisory: CAN-2004-1308

http://www.linuxsecurity.com/content/view/117651

 
  Fedora: libtiff-3.6.1-8.fc3 update
  22nd, December, 2004

Fix several buffer overflow problems that could be used as an
exploit. Fixes the following security advisory: CAN-2004-1308

http://www.linuxsecurity.com/content/view/117652

 
   Gentoo
  Gentoo: cscope Insecure creation of temporary
files
  16th, December, 2004

Cscope is vulnerable to symlink attacks, potentially allowing
a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/117558

 
  Gentoo: Adobe Acrobat Reader Buffer overflow
vulnerability
  16th, December, 2004

Adobe Acrobat Reader is vulnerable to a buffer overflow that
could lead to remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117559

 
  Gentoo: samba Integer overflow
  17th, December, 2004

Samba contains a bug that could lead to remote execution of
arbitrary code.

http://www.linuxsecurity.com/content/view/117560

 
  Gentoo: PHP Multiple vulnerabilities
  19th, December, 2004

Several vulnerabilities were found and fixed in PHP, ranging
from an information leak and a safe_mode restriction bypass to a potential
remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117576

 
  Gentoo: Ethereal Multiple vulnerabilities
  19th, December, 2004

Multiple vulnerabilities exist in Ethereal, which may allow
an attacker to run arbitrary code, crash the program or perform DoS by
CPU and disk utilization.

http://www.linuxsecurity.com/content/view/117577

 
  Gentoo: kdelibs, kdebase Multiple vulnerabilities
  19th, December, 2004

kdelibs and kdebase contain a flaw allowing password disclosure
when creating a link to a remote file. Furthermore Konqueror is vulnerable
to window injection.

http://www.linuxsecurity.com/content/view/117578

 
  Gentoo: kfax Multiple overflows in the
included TIFF library
  19th, December, 2004

kfax contains several buffer overflows potentially leading to
execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117579

 
  Gentoo: abcm2ps Buffer overflow vulnerability
  19th, December, 2004

abcm2ps is vulnerable to a buffer overflow that could lead to
remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117580

 
  Gentoo: phpMyAdmin Multiple vulnerabilities
  19th, December, 2004

phpMyAdmin contains multiple vulnerabilities which could lead
to file disclosure or command execution.

http://www.linuxsecurity.com/content/view/117581

 
  Gentoo: WordPress HTTP response splitting
and XSS vulnerabilities
  19th, December, 2004

Thomas Waldegger, who discovered these vulnerabilities, reported
that these issues were not fixed in version 1.2.1. After notifying the
developers, they released 1.2.2 to fix these flaws.

http://www.linuxsecurity.com/content/view/117582

 
  Gentoo: NASM Buffer overflow vulnerability
  20th, December, 2004

NASM is vulnerable to a buffer overflow that allows an attacker
to execute arbitrary code through the use of a malicious object file.

http://www.linuxsecurity.com/content/view/117583

 
  Gentoo: MPlayer Multiple overflows
  20th, December, 2004

Multiple overflow vulnerabilities have been found in MPlayer,
potentially resulting in remote executing of arbitrary code.

http://www.linuxsecurity.com/content/view/117584

 
  Gentoo: mpg123 Playlist buffer overflow
  21st, December, 2004

mpg123 is vulnerable to a buffer overflow that allows an attacker
to execute arbitrary code through the use of a malicious playlist.

http://www.linuxsecurity.com/content/view/117611

 
  Gentoo: Zwiki XSS vulnerability
  21st, December, 2004

Zwiki is vulnerable to cross-site scripting attacks.

http://www.linuxsecurity.com/content/view/117622

 
   Mandrake
  Mandrake: wget download bug fix
  17th, December, 2004

A problem in wget prevents it from downloading very large data
files. The updated packages are patched to fix the problem.

http://www.linuxsecurity.com/content/view/117536

 
  Mandrake: urpmi ssh parallel support
fix
  17th, December, 2004

A bug in the parallel ssh extension in urpmi would prevent parallel
installations using ssh; urpmi would crash. The updated pacakges fix the
problem.

http://www.linuxsecurity.com/content/view/117537

 
  Mandrake: urpmi ssh parallel support
fix
  18th, December, 2004

A bug in the parallel ssh extension in urpmi would prevent parallel
installations using ssh; urpmi would crash. The updated pacakges fix the
problem.

http://www.linuxsecurity.com/content/view/117574

 
  Mandrake: php multiple vulnerabilities
fix
  18th, December, 2004

A number of vulnerabilities in PHP versions prior to 4.3.10
were discovered by Stefan Esser. Some of these vulnerabilities were not
deemed to be severe enough to warrant CVE names, however the packages
provided, with the exception of the Corporate Server 2.1 packages, include
fixes for all of the vulnerabilities, thanks to the efforts of the OpenPKG
team who extracted and backported the fixes.

http://www.linuxsecurity.com/content/view/117575

 
  Mandrake: aspell vulnerability fix
  20th, December, 2004

A vulnerability was discovered in the aspell word-list-compress
utility that can allow an attacker to execute arbitrary code.

http://www.linuxsecurity.com/content/view/117607

 
  Mandrake: ethereal multiple vulnerabilities
fix
  20th, December, 2004

A number of vulnerabilities were discovered in Ethereal.

http://www.linuxsecurity.com/content/view/117608

 
  Mandrake: krb5 buffer overflow vulnerability
fix
  22nd, December, 2004

Michael Tautschnig discovered a heap buffer overflow in the
history handling code of libkadm5srv which could be exploited by an authenticated
user to execute arbitrary code on a Key Distribution Center (KDC) server.

http://www.linuxsecurity.com/content/view/117641

 
  Mandrake: kdelibs multiple vulnerability
fix
  22nd, December, 2004

A vulnerability in the Konqueror webbrowser was discovered where
an untrusted java applet could escalate privileges (through JavaScript
calling into Java code). This includes the reading and writing of files
with the privileges of the user running the applet.

http://www.linuxsecurity.com/content/view/117642

 
  Mandrake: logcheck temporary file vulnerability
fix
  22nd, December, 2004

A vulnerability was discovered in the logcheck program by Christian
Jaeger. This could potentially lead to a local attacker overwriting files
with root privileges.

http://www.linuxsecurity.com/content/view/117643

 
  Mandrake: mplayer multiple vulnerabilities
fix
  22nd, December, 2004

A number of vulnerabilities were discovered in the MPlayer program
by iDEFENSE, Ariel Berkman, and the MPlayer development team. These vulnerabilities
include potential heap overflows in Real RTSP and pnm streaming code,
stack overflows in MMST streaming code, and multiple buffer overflows
in the BMP demuxer and mp3lib code.

http://www.linuxsecurity.com/content/view/117645

 
   NetBSD
  NetBSD: Insufficient argument validation
in compat code
  17th, December, 2004

Some of the translation functions performed unsafe operations
using the syscall arguments, and were exploitable to cause kernel traps.
Some of the flaws may be exploitable and result in privilege escalation.

http://www.linuxsecurity.com/content/view/117538

 
   Trustix
  Trustix: samba, php security update
  20th, December, 2004

Remote exploitation of an integer overflow vulnerability in
the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x
prior to and including 3.0.9 could allow an attacker to cause controllable
heap corruption, leading to execution of arbitrary commands with root
privileges.

http://www.linuxsecurity.com/content/view/117571

 
  Trustix: kernel Remote hole, local DoS
  20th, December, 2004

Paul Starzetz discovered a bug in the IGMP networking modules
of the Linux kernel. This allows for a remote DoS and local root exploit.

http://www.linuxsecurity.com/content/view/117572

 
  Trustix: anaconda, mailcap, mkinitrd,
vim, postgresql, ntp, sqlgrey, db4, rsync, postgresql bugfixes
  20th, December, 2004

The previous attempt to get PXE booting working with more network
cards turned out not to work. This update fixes that.

http://www.linuxsecurity.com/content/view/117573

 
  Trustix: kerberos5 execution of arbitary
code by authenticated user
  21st, December, 2004

There is a buffer overflow in the password history handling
code of libkadm5srv which could be exploited by an authenticated user
to execute arbitary code on a Key Distribution Center (KDC) server.

http://www.linuxsecurity.com/content/view/117612

 
   Red
Hat
  Red Hat: zip security issue fix
  16th, December, 2004

An updated zip package that fixes a buffer overflow vulnerability
is now available.

http://www.linuxsecurity.com/content/view/117532

 
  Red Hat: libxml security vulnerabilities
  16th, December, 2004

An updated libxml package that fixes multiple buffer overflows
is now available.

http://www.linuxsecurity.com/content/view/117533

 
  Red Hat: samba security issue fix
  16th, December, 2004

Updated samba packages that fix an integer overflow vulnerability
are now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/117534

 
  Red Hat: gd security issues fix
  17th, December, 2004

Updated gd packages that fix security issues with overflow in
various memory allocation calls are now available.

http://www.linuxsecurity.com/content/view/117535

 
  Red Hat: Xfree86 security issues fix
  20th, December, 2004

Updated XFree86 packages that fix several security flaws in
libXpm are now available for Red Hat Enterprise Linux 2.1.

http://www.linuxsecurity.com/content/view/117570

 
  Red Hat: rh-postgresql update
  20th, December, 2004

Trustix has identified improper temporary file usage in the
make_oidjoins_check script. It is possible that an attacker could overwrite
arbitrary file contents as the user running the make_oidjoins_check script.
This script has been removed from the RPM file since it has no use to
ordinary users. The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CAN-2004-0977 to this issue.

http://www.linuxsecurity.com/content/view/117601

 
  Red Hat: nfs-utils security vulnerabilities
fix
  20th, December, 2004

SGI reported that the statd daemon did not properly handle the
SIGPIPE signal. A misconfigured or malicious peer could cause statd to
crash, leading to a denial of service. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-1014
to this issue.

http://www.linuxsecurity.com/content/view/117602

 
  Red Hat: glibc update
  20th, December, 2004

This errata fixes several bugs in the GNU C Library.

http://www.linuxsecurity.com/content/view/117603

 
  Red Hat: php security issues and bugs
fix
  21st, December, 2004

Updated php packages that fix various security issues and bugs
are now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/content/view/117620

 
  Red Hat: samba security issue fix
  21st, December, 2004

Updated samba packages that fix an integer overflow vulnerability
are now available for Red Hat Enterprise Linux 2.1

http://www.linuxsecurity.com/content/view/117621

 
   SuSE
  SuSE: various kernel problems
  21st, December, 2004

Several vulnerabilities have been found and fixed in the Linux
kernel.

http://www.linuxsecurity.com/content/view/117618

 
  SuSE: samba remote privilege escalation
  22nd, December, 2004

The Samba developers informed us about several potential integer
overflow issues in the Samba 2 and Samba 3 code.

http://www.linuxsecurity.com/content/view/117619