Linux Advisory Watch – April 22, 2005

33

Author: Benjamin D. Thomas

This week, advisories were released for MySQL, PHP, libexif, gtkhtml, info2www,
geneweb, f2c, XFCE, vixie-cron, at, nasm, aspell, urw-fonts, htdig, alsa-lib,
curl, HelixPlayer, cvs, foomatic, monkeyd, mplayer, xloadimage, logwatch, kernel,
OpenOffice, and PostgreSQL. The distributors include Conectiva, Debian, Fedora,
Gentoo, Red Hat, and SuSE.Introduction: Buffer Overflow Vulnerabilities
By: Erica R. Thomas

In exploiting the buffer overflow vulnerability, the main objective is to overwrite
some control information in order to change the flow of control in the program.
The usual way of taking advantage of this is to modify the control information
to give authority to code provided by the attacker to take control. According
to Shaneck, “The most widespread type of exploit is called ‘Smashing the Stack’
and involves overwriting the return address stored on the stack to transfer
control to code placed either in the buffer, or past the end of the buffer.”
(Shaneck, 2003) The stack is a section of memory used for temporary storage
of information. In a stack-based buffer overflow attack, the attacker adds more
data than expected to the stack, overwriting data. Farrow explains this in an
example, “Let’s say that a program is executing and reaches the stage where
it expects to use a postal code or zip code, which it gets from a Web-based
form that customers filled out.” (Farrow, 2002) The longest postal code is fewer
than twelve characters, but on the web form, the attacker typed in the letter
“A” 256 times, followed by some other commands. The data overflows the buffer
allotted for the zip code and the attacker’s commands fall into the stack. After
a function is called, the address of the instruction following the function
call is pushed onto the stack to be saved so that the function knows where to
return control when it is finished. A buffer overflow allows the attacker to
change the return address of a function to a point in memory where they have
already inserted executable code. Then control can be transferred to the malicious
attack code contained with the buffer, called the payload (Peikari and Chuvakin,
2004). The payload is normally a command to allow remote access or some other
command that would get the attacker closer to having control of the system.
As Holden explains, “a computer is flooded with more information than it can
handle, and some of it may contain instructions that could damage files on the
computer or disclose information that is normally protected- or give the hacker
root access to the system.” (Holden, 2004)

The best defense against any of these attacks is to have perfect programs.
In ideal circumstances, every input in every program would do bounds checks
to allow only a given number of characters. Therefore, the best way to deal
with buffer overflow problems is to not allow them to occur in the first place.
Unfortunately, not all programs are perfect and some have bugs that permit the
attacks discussed in this paper. As described by Farrow, “because programs are
not perfect, programmers have come up with schemes to defend against buffer
overflow attacks.” (Farrow, 2002) One technique entails enforcing the computer
to use the stack and the heap for data only and to never to execute any instructions
found there. This approach can work for UNIX systems, but it can’t be used on
Windows systems. Farrow describes another scheme using a canary to protect against
buffer overflows, but only the kind that overwrite the stack. (Farrow, 2002)
The stack canary protects the stack by being put in sensitive locations in memory
like the return address (that tells the computer where to find the next commands
to execute after it completes its current function). As described by Farrow,
“before return addresses get used, the program checks to see if the canary is
okay.” (Farrow, 2002) If the canary has been hit, the program then quits because
it knows that something has gone wrong. As a user of the programs, the best
countermeasure is to make sure your systems are fully patched in order to protect
yourself from exploits targeting vulnerabilities.

Read Full Article:
http://www.linuxsecurity.com/content/view/118881/49/

LinuxSecurity.com
Feature Extras:

Getting
to Know Linux Security: File Permissions
– Welcome to the first
tutorial in the ‘Getting to Know Linux Security’ series. The topic explored
is Linux file permissions. It offers an easy to follow explanation of how
to read permissions, and how to set them using chmod. This guide is intended
for users new to Linux security, therefore very simple. If the feedback is
good, I’ll consider creating more complex guides for advanced users. Please
let us know what you think and how these can be improved.

The
Tao of Network Security Monitoring: Beyond Intrusion Detection

– To be honest, this was one of the best books that I’ve read on network security.
Others books often dive so deeply into technical discussions, they fail to
provide any relevance to network engineers/administrators working in a corporate
environment. Budgets, deadlines, and flexibility are issues that we must all
address. The Tao of Network Security Monitoring is presented in such a way
that all of these are still relevant.

Encrypting
Shell Scripts
– Do you have scripts that contain sensitive information
like passwords and you pretty much depend on file permissions to keep it secure?
If so, then that type of security is good provided you keep your system secure
and some user doesn’t have a “ps -ef” loop running in an attempt to capture
that sensitive info (though some applications mask passwords in “ps” output).

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.


   Conectiva
  Conectiva: MySQL Fixes for two mysql
vulnerabilities
  20th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118933

 
   Debian
  Debian: New PHP3 packages fix denial
of service
  15th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118884

 
  Debian: New libexif packages fix arbitrary
code execution
  15th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118889

 
  Debian: New gtkhtml packages fix denial
of service
  18th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118901

 
  Debian: New info2www packages fix cross-site
scripting vulnerability
  19th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118907

 
  Debian: New geneweb packages fix insecure
file operations
  19th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118915

 
  Debian: New f2c packages fix insecure
temporary files
  20th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118927

 
   Fedora
  Fedora Core 3 Update: XFCE 4.2.1.1 (15
packages)
  15th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118890

 
  Fedora Core 3 Update: vixie-cron-4.1-33_FC3
  15th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118891

 
  Fedora Core 3 Update: at-3.1.8-70_FC3
  15th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118892

 
  Fedora Core 3 Update: nasm-0.98.38-3.FC3
  18th, April, 2005

The new NASM packages contain fixes for CAN-2004-1287 and one
additional vsprintf buffer overflow.

http://www.linuxsecurity.com/content/view/118899

 
  Fedora Core 3 Update: php-4.3.11-2.4
  18th, April, 2005

This update includes the latest stable release of PHP 4.3, including
a number of security fixes to the exif extension (CVE CAN-2005-1042 and
CAN-2005-1043) and the getimagesize() function (CVE CAN-2005-0524), along
with many bug fixes.

http://www.linuxsecurity.com/content/view/118900

 
  Fedora Core 3 Update: aspell-bg-0.50-8.fc3
  19th, April, 2005

aspell-bg-0.50-7 contains many false words. aspell-bg-0.50-8.fc3
fix this problem.

http://www.linuxsecurity.com/content/view/118914

 
  Fedora Core 3 Update: urw-fonts-2.3-0.FC3.1
  19th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118916

 
  Fedora Core 3 Update: htdig-3.2.0b6-3.FC3.1
  19th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118917

 
  Fedora Core 3 Update: alsa-lib-1.0.6-8.FC3
  20th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118931

 
  Fedora Core 3 Update: curl-7.12.3-3.fc3
  20th, April, 2005

New curl version fixes CAN-2005-0490 problem (Multiple stack
based overflows).

http://www.linuxsecurity.com/content/view/118932

 
  Fedora Core 3 Update: HelixPlayer-1.0.4-1.0.fc3.1
  20th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118934

 
  Fedora Core 3 Update: cvs-1.11.17-6.FC3
  20th, April, 2005

Updated package.

http://www.linuxsecurity.com/content/view/118935

 
  Fedora Core 3 Update: foomatic-3.0.2-13.4
  20th, April, 2005

This is a minor bug-fix update.

http://www.linuxsecurity.com/content/view/118936

 
   Gentoo
  Gentoo: OpenOffice.Org DOC document Heap
Overflow
  15th, April, 2005

OpenOffice.Org is vulnerable to a heap overflow when processing
DOC documents, which could lead to arbitrary code execution.

http://www.linuxsecurity.com/content/view/118893

 
  Gentoo: monkeyd Multiple vulnerabilities
  15th, April, 2005

Format string and Denial of Service vulnerabilities have been
discovered in the monkeyd HTTP server, potentially resulting in the execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/118894

 
  Gentoo: PHP Multiple vulnerabilities
  18th, April, 2005

Several vulnerabilities were found and fixed in PHP image handling
functions, potentially resulting in Denial of Service conditions or the
remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118897

 
  Gentoo: CVS Multiple vulnerabilities
  18th, April, 2005

Several serious vulnerabilities have been found in CVS, which
may allow an attacker to remotely compromise a CVS server or cause a DoS.

http://www.linuxsecurity.com/content/view/118905

 
  Gentoo: XV Multiple vulnerabilities
  19th, April, 2005

Multiple vulnerabilities have been discovered in XV, potentially
resulting in the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118906

 
  Gentoo: Mozilla Firefox, Mozilla Suite
Multiple vulnerabilities
  19th, April, 2005

New Mozilla Firefox and Mozilla Suite releases fix new security
vulnerabilities, including memory disclosure and various ways of executing
JavaScript code with elevated privileges.

http://www.linuxsecurity.com/content/view/118910

 
  Gentoo: MPlayer Two heap overflow vulnerabilities
  20th, April, 2005

Two vulnerabilities have been found in MPlayer which could lead
to the remote execution of arbitrary code.

http://www.linuxsecurity.com/content/view/118924

 
   Red
Hat
  RedHat: Low: xloadimage security update
  19th, April, 2005

A new xloadimage package that fixes bugs in handling malformed
tiff and pbm/pnm/ppm images, and in handling metacharacters in filenames
is now available. This update has been rated as having low security impact
by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118919

 
  RedHat: Moderate: logwatch security update
  19th, April, 2005

An updated logwatch package that fixes a denial of service issue
is now available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118920

 
  RedHat: Important: kernel security update
  19th, April, 2005

Updated kernel packages that fix several security issues are
now available for Red Hat Enterprise Linux 4. This update has been rated
as having important security impact by the Red Hat Security Response Team.
The Linux kernel handles the basic functions of the operating system.

http://www.linuxsecurity.com/content/view/118921

 
  RedHat: Critical: RealPlayer security
update
  20th, April, 2005

An updated RealPlayer package that fixes a buffer overflow issue
is now available. This update has been rated as having critical security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118937

 
  RedHat: Critical: HelixPlayer security
update
  20th, April, 2005

An updated HelixPlayer package that fixes a buffer overflow
issue is now available. This update has been rated as having critical
security impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118938

 
  RedHat: Critical: RealPlayer security
update
  20th, April, 2005

An updated RealPlayer package that fixes a buffer overflow issue
is now available. This update has been rated as having critical security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118940

 
  RedHat: Important: firefox security update
  21st, April, 2005

Updated firefox packages that fix various security bugs are
now available. This update has been rated as having Important security
impact by the Red Hat Security Response Team.

http://www.linuxsecurity.com/content/view/118941

 
   SuSE
  SuSE: php remote denial of
service
  15th, April, 2005

This update fixes the following security issues in the PHP scripting
language.

http://www.linuxsecurity.com/content/view/118883

 
  SuSE: cvs (SUSE-SA:2005:024)
  18th, April, 2005

The Concurrent Versions System (CVS) offers tools which allow
developers to share and maintain large software projects. The current
maintainer of CVS reported various problems within CVS such as a buffer
overflow and memory access problems which have been fixed within the available
updates. The CVE project has assigned the CAN number CAN-2005-0753.

http://www.linuxsecurity.com/content/view/118898

 
  SuSE: OpenOffice heap overflow problem
  19th, April, 2005

This security update fixes a buffer overflow in OpenOffice_org
Microsoft Word document reader which could allow a remote attacker sending
a handcrafted .doc file to execute code as the user opening the document
in OpenOffice.

http://www.linuxsecurity.com/content/view/118911

 
  SuSE: RealPlayer buffer overflow in RAM
  20th, April, 2005

This update fixes a security issue within the RealPlayer media
player.

http://www.linuxsecurity.com/content/view/118925

 
  SuSE: PostgreSQL buffer overflow problems
  20th, April, 2005

Several problems were identified and fixed in the PostgreSQL
database server.

http://www.linuxsecurity.com/content/view/118926