Linux Advisory Watch – July 30, 2004

44

Author: Preston St. Pierre

This
week, advisories were released for sendmail, tcpdump, kernel, samba,
mailreader, courier, abiword, subversion, php, sox, Pavuk, phpMyAdmin,
postgresql, XFree86, webmin, mod_ssl and wv. The distributors include
SCO Group, Conectiva, Debian, Fedora, Gentoo, Mandrake, Red Hat,
Slackware, Suse and Trustix. Using Sudo

sudo is a mechanism of providing root prileges to an ordinary user.

If you absolutely positively need to allow someone (hopefully very
trusted) to have superuser access to your machine, there are a few
tools that can help. Sudo allows users to use their password to access
a limited set of commands as root. Sudo keeps a log of all successful
and unsuccessful sudo attempts, allowing you to track down who used
what command to do what. For this reason sudo works well even in places
where a number of people have root access, but use sudo so you can keep
track of changes made.

Although sudo can be used to give specific users specific privileges
for specific tasks, it does have several shortcomings. It should be
used only for a limited set of tasks, like restarting a server, or
adding new users.  Any program that offers a shell escape will
give the user root access.  This includes most editors, for
example. Also, a program as innocuous as /bin/cat can be used to
overwrite files, which could allow root to be exploited. Consider sudo
as a means for accountability, and don’t expect it to replace the root
user, yet be secure.

To do almost any administrative function in Linux one requires root
(privileged) access. Unfortunately the built in mechanisms that can be
used to grant this type of access are relatively weak. The primary tool
is “su” which lets you run a shell as another user, unfortunately you
need the other user’s password, so everyone you want to grant root
access will have the password and unrestricted access. A slightly more
fine grained tool is the setuid or setgid bit, if this is set on a
file, then the file runs as the user or group that owns it (typically
root). Managing file permissions, and ensuring there are no bugs in the
program that can be used to gain full root access is difficult at best.

 Security Tip Written by Dave Wreski (dave@guardiandigital.com)
 Additional tips are available at the following URL:
 http://www.linuxsecurity.com/tips/

—–

LinuxSecurity
Feature Extras:

Security
Expert Dave Wreski Discusses Open Source Security
Dave Wreski, CEO of
Guardian Digital, Inc. and respected author of various hardened
security and Linux publications, talks about how Guardian Digital is
changing the face of IT security today. Guardian Digital is perhaps
best known for their hardened Linux solution EnGarde Secure Linux,
touted as the premier secure, open-source platform for its
comprehensive array of general purpose services, such as web, FTP,
email, DNS, IDS, routing, VPN, firewalling, and much more.

Catching up with Wietse Venema, creator of Postfix and TCP
Wrapper
– Duane Dunston speaks at
length with Wietse Venema on his current  research projects at the
Thomas J. Watson Research Center, including  his forensics efforts
with The Coroner’s Toolkit. Wietse Venema is best  known for the
software TCP Wrapper, which is still widely used today  and is
included with almost all unix systems.  Wietse is also the 
author of the Postfix mail system and the co-author of the very cool
suite of utilities called The Coroner’s Toolkit or “TCT”.

[ Linux
Advisory Watch
] – [ Linux Security Week
] – [ PacketStorm
Archive
] – [ Linux
Security Documentation
]


Linux
Advisory
Watch is a comprehensive newsletter that outlines the security
vulnerabilities that have been announced throughout the week. It
includes pointers to updated packages and descriptions of each
vulnerability.
[
Subscribe
]


 
Distribution: SCO Group
  7/29/2004 sendmail
    Multiple vulnerabilities

This patch addresses one Denial of Service vulnerability and one other
that can lead to the execution of arbitrary code.
http://www.linuxsecurity.com/advisories/caldera_advisory-4611.html

 
  7/29/2004 tcpdump
    Multiple vulnerabilities

This patch addresses three seperate vulnerabilities of tcpdump.
http://www.linuxsecurity.com/advisories/caldera_advisory-4612.html

 
 
Distribution: Conectiva
  7/29/2004 kernel
    Multiple vulnerabilities

This patch fixes five seperate kernel vulnerabilities.
http://www.linuxsecurity.com/advisories/conectiva_advisory-4610.html

 
  7/30/2004 samba
    Buffer overflow
vulnerabilities

Exploitation of these vulnerabilites could lead to execution of
arbitrary code.
http://www.linuxsecurity.com/advisories/conectiva_advisory-4620.html

 
 
Distribution: Debian
  7/23/2004 libapache-mod-ssl
Multiple
vulnerabilities
    Buffer overflow
vulnerabilities

This patch resolves a buffer overflow and a format string
vulnerability, either of which can lead to an arbitrary code execution.

http://www.linuxsecurity.com/advisories/debian_advisory-4594.html

 
  7/23/2004 mailreader
    Directory traversal
vulnerability

A directory traversal vulnerability was discovered in mailreader
whereby remote attackers could view arbitrary files with the privileges
of the nph-mr.cgi process (by default, www-data)
http://www.linuxsecurity.com/advisories/debian_advisory-4595.html

 
  7/23/2004 courier
    Cross Site Scripting
vulnerability

An attacker could cause web script to be executed within the security
context of the sqwebmail application.
http://www.linuxsecurity.com/advisories/debian_advisory-4596.html

 
  7/29/2004 libapache-mod-ssl
Multiple
vulnerabilities
    Cross Site Scripting
vulnerability

This patch fixes a buffer overflow and a format string vulnerability in
libapache-mod-ssl, both of which allow execution of arbitrary code.
http://www.linuxsecurity.com/advisories/debian_advisory-4609.html

 
 
Distribution: Fedora
  7/23/2004 abiword
    Undefined security fix

2.0.5 + wv security backport
http://www.linuxsecurity.com/advisories/fedora_advisory-4591.html

 
  7/23/2004 subversion
    Information leak
vulnerability

Vulnerability allows reading of part of a repository when a user can
write to another.
http://www.linuxsecurity.com/advisories/fedora_advisory-4592.html

 
  7/23/2004 php
    Multiple vulnerabilities

This patch resolves two different php vulnerabilities, one of which
allows arbitrary code execution on the local machine, the other XSS
(Cross Site Scripting).
http://www.linuxsecurity.com/advisories/fedora_advisory-4593.html

 
  7/29/2004 sox
    Buffer overflow
vulnerabilities

Exploiting this, an attacker could embed arbitrary code in a calicious
WAV file which would execute when it is played.
http://www.linuxsecurity.com/advisories/fedora_advisory-4608.html

 
 
Distribution: Gentoo
  7/29/2004 Subversion
    Permission escape
vulnerability

Users with write access to parts of a Subversion repository may bypass
read restrictions in mod_authz_svn and read any part of the repository
they wish. An important addendum follows the advisory.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4606.html

 
  7/29/2004 Pavuk
    Buffer overflow
vulnerability

Pavuk contains a bug that can allow an attacker to run arbitrary code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4607.html

 
  7/30/2004 samba
    Buffer overflow
vulnerabilities

Two buffer overflows vulnerabilities were found in Samba, potentially
allowing the remote execution of arbitrary code. (Note: this
announcement takes the ERRATA released by Gentoo into account).
http://www.linuxsecurity.com/advisories/gentoo_advisory-4617.html

 
  7/30/2004 phpMyAdmin
    Multiple vulnerabilities

Multiple vulnerabilities in phpMyAdmin may allow a remote attacker with
a valid user account to alter configuration variables and execute
arbitrary PHP code.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4618.html

 
  7/30/2004 SoX
    Buffer overflow
vulnerabilities

By enticing a user to play or convert a specially crafted WAV file an
attacker could execute arbitrary code with the permissions of the user
running SoX.
http://www.linuxsecurity.com/advisories/gentoo_advisory-4619.html

 
 
Distribution: Mandrake
  7/23/2004 samba
    Buffer overflow
vulnerabilities

This patch fixes two seperate exploitable buffer overruns in samba.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4590.html

 
  7/29/2004 postgresql
    Buffer overflow
vulnerability

A buffer overflow has been discovered in the ODBC driver of PostgreSQL.

http://www.linuxsecurity.com/advisories/mandrake_advisory-4601.html

 
  7/29/2004 XFree86
    Improper open port
vulnerability

XDM in XFree86 opens a chooserFd TCP socket even when
DisplayManager.requestPort is 0, which could allow remote attackers to
connect to the port, in violation of the intended restrictions.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4602.html

 
  7/29/2004 webmin
    Multiple vulnerabilities

This patch addresses an information leak and a method that allows brute
force user/password attacks.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4603.html

 
  7/29/2004 mod_ssl
    Insecure log access

Ralf S. Engelschall found a remaining risky call to ssl_log while
reviewing code for another issue reported by Virulent.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4604.html

 
  7/29/2004 sox
    Buffer overflow
vulnerabilities

Ulf Harnhammar discovered two buffer overflows in SoX. They occur when
the sox or play commands handle malicious .WAV files.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4605.html

 
  7/30/2004 wv
    Buffer overflow
vulnerabilty

iDefense discovered a buffer overflow vulnerability in the wv package
which could allow an attacker to execute arbitrary code with the
runner’s privileges.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4615.html

 
  7/30/2004 OpenOffice.org
Multiple
vulnerabilities
    Buffer overflow
vulnerabilty

These updated packages contain fixes to libneon to correct the several
format string vulnerabilities in it, as well as a heap-based buffer
overflow vulnerability.
http://www.linuxsecurity.com/advisories/mandrake_advisory-4616.html

 
 
Distribution: Red Hat
  7/29/2004 samba
    Buffer overflow
vulnerability

The Samba team discovered a buffer overflow in the code used to support
the ‘mangling method = hash’ smb.conf option.
http://www.linuxsecurity.com/advisories/redhat_advisory-4600.html

 
  7/30/2004 sox
    Buffer overflow
vulnerabilities

A malicious WAV file could cause arbitrary code to be executed when the
file was played or converted.
http://www.linuxsecurity.com/advisories/redhat_advisory-4613.html

 
  7/30/2004 ipsec-tools
Key
verification vulnerability
    Buffer overflow
vulnerabilities

When configured to use X.509 certificates to authenticate remote hosts,
psec-tools versions 0.3.3 and earlier will attempt to verify that host
certificate, but will not abort the key exchange if verification fails.

http://www.linuxsecurity.com/advisories/redhat_advisory-4614.html

 
 
Distribution: Slackware
  7/29/2004 samba
    Buffer overflow
vulnerabilities

This fixes two buffer overflows in SAMBA. There are two sections to
this advisory: the original and the one that does NOT add a new
dependancy.
http://www.linuxsecurity.com/advisories/slackware_advisory-4598.html

 
  7/29/2004 mod_ssl
    Format string
vulnerability

A format string vulnerability in mod_proxy hook functions could allow
an attacker to run code as the mod_ssl user.
http://www.linuxsecurity.com/advisories/slackware_advisory-4599.html

 
 
Distribution: Suse
  7/23/2004 samba
    Buffer overflow
vulnerabilities

This patch resolves two buffer overflows, both of which could be used
to execute arbitrary code.
http://www.linuxsecurity.com/advisories/suse_advisory-4589.html

 
 
Distribution: Trustix
  7/29/2004 apache,mod_php4,samba
Multiple vulnerabilities
    Buffer overflow
vulnerabilities

This patch fixes a variety of vulnerabilities affecting apache,
mod_php4, and samba.
http://www.linuxsecurity.com/advisories/trustix_advisory-4597.html