Linux Advisory Watch – November 19, 2004

46

Author: Preston St. Pierre

This week, advisories were released for libxml2, MySQL, imagemagick, Apache,
fetch, Ruby, BNC, Squirrelmail, gd, sudo, totem, drakxtools, httpd, freeradius,
libxml2, and iptables. The distributors include Conectiva, Debian, Fedora, FreeBSD,
Gentoo, Mandrake, Red Hat, Suse, and Trustix.

Root Security

The most sought-after account on your machine is the superuser account.
This account has authority over the entire machine, which may also
include authority over other machines on the network. Remember that you
should only use the root account for very short specific tasks and
should mostly run as a normal user. Running as root all the time is
a very very very bad idea.

Several tricks to avoid messing up your own box as root:

  • When doing some complex command, try running it first in a non destructive
    way…especially commands that use globbing: e.g., you are going to do a rm
    foo*.bak, instead, first do: ls foo*.bak and make sure you are going to delete
    the files you think you are. Using echo in place of destructive commands also
    sometimes works.
  • Provide your users with a default alias to the /bin/rm command to ask for
    confirmation for deletion of files.
  • Only become root to do single specific tasks. If you find yourself trying
    to figure out how to do something, go back to a normal user shell until you
    are sure what needs to be done by root.
  • The command path for the root user is very important. The command path,
    or the PATH environment variable, defines the location the shell searches
    for programs. Try and limit the command path for the root user as much as
    possible, and never use ‘.’, meaning ‘the current directory’, in your PATH
    statement. Additionally, never have writable directories in your search path,
    as this can allow attackers to modify or place new binaries in your search
    path, allowing them to run as root the next time you run that command.
  • Never use the rlogin/rsh/rexec (called the “r-utilities”) suite of tools
    as root. They are subject to many sorts of attacks, and are downright dangerous
    run as root. Never create a .rhosts file for root.
  • The /etc/securetty file contains a list of terminals that root can login
    from. By default (on Red Hat Linux) this is set to only the local virtual
    consoles (vtys). Be very careful of adding anything else to this file. You
    should be able to login remotely as your regular user account and then use
    su if you need to (hopefully over ssh or other encrypted channel), so there
    is no need to be able to login directly as root.
  • Always be slow and deliberate running as root. Your actions could affect
    a lot of things. Think before you type!

If you absolutely positively need to allow someone (hopefully very
trusted) to have superuser access to your machine, there are a few tools
that can help. sudo allows users to use their password to access a limited
set of commands as root. sudo keeps a log of all successful and unsuccessful
sudo attempts, allowing you to track down who used what command to do what.
For this reason sudo works well even in places where a number of people have
root access, but use sudo so you can keep track of changes made.

Although sudo can be used to give specific users specific privileges for
specific tasks, it does have several shortcomings. It should be used only
for a limited set of tasks, like restarting a server, or adding new users.
Any program that offers a shell escape will give the user root access.
This includes most editors, for example. Also, a program as innocuous as
/bin/cat can be used to overwrite files, which could allow root to be
exploited. Consider sudo as a means for accountability, and don’t expect
it to replace the root user yet be secure.

 
Distribution: Conectiva
  11/18/2004 libxml2
    buffer overflow vulnerabilities fix

This update fixes a buffer overflow vulnerability[2,3] in the URI parsing code found by “infamous41md” at the nanoftp and nanohttp modules of libxml2. An attacker may exploit this vulnerability to execute arbitrary code with the privileges of the user running an affected application.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5193.html

 
  11/18/2004 MySQL
    vulnerabilities fix

Oleksandr Byelkin noticed[2] that ALTER TABLE … RENAME checks CREATE/INSERT rights of the old table instead of the new one. Lukasz Wojtow noticed[3] a buffer overrun in the mysql_real_connect() function.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5194.html

 
 
Distribution: Debian
  11/12/2004 ez-ipupdate format string vulnerability fix
    vulnerabilities fix

Ulf H?rnhammar from the Debian Security Audit Project discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. This problem can only be exploited if ez-ipupdate is running in daemon mode (most likely) with many but not all service types.

http://www.linuxsecurity.com/advisories/debian_advisory-5162.html

 
  11/16/2004 imagemagick
    arbitrary code execution fix

A vulnerability has been reported for ImageMagick, a commonly used image manipulation library. Due to a boundary error within the EXIF parsing routine, a specially crafted graphic images could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/debian_advisory-5172.html

 
  11/17/2004 Apache
    arbitrary code execution fix

“Crazy Einstein” has discovered a vulnerability in the “mod_include” module, which can cause a buffer to be overflown and could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/debian_advisory-5180.html

 
 
Distribution: Fedora
  11/12/2004 httpd-2.0.51-2.9 update
    arbitrary code execution fix

This update includes the fixes for an issue in mod_ssl which could lead to a bypass of an SSLCipherSuite setting in directory or location context (CVE CAN-2004-0885), and a memory consumption denial of service issue in the handling of request header lines (CVE CAN-2004-0942).

http://www.linuxsecurity.com/advisories/fedora_advisory-5166.html

 
  11/12/2004 httpd-2.0.52-3.1 update
    arbitrary code execution fix

This update includes the fix for a memory consumption denial of service issue in the handling of request header lines (CVE CAN-2004-0942).

http://www.linuxsecurity.com/advisories/fedora_advisory-5167.html

 
  11/12/2004 subversion-1.0.9-1 update
    arbitrary code execution fix

This update includes the latest release of Subversion 1.0, including the fix for a regression in the performance of repository browsing since version 1.0.8.

http://www.linuxsecurity.com/advisories/fedora_advisory-5168.html

 
  11/12/2004 subversion-1.1.1-1.1 update
    arbitrary code execution fix

This update includes the latest release of Subversion 1.1, including the fix for a regression in the performance of repository browsing since version 1.1.0 and a variety of other bug fixes.

http://www.linuxsecurity.com/advisories/fedora_advisory-5169.html

 
  11/12/2004 gdb-6.1post-1.20040607.43 update
    arbitrary code execution fix

#136455 workaround to prevent gdb from failing and getting stuck when hitting certain DWARF-2 symbols.

http://www.linuxsecurity.com/advisories/fedora_advisory-5170.html

 
  11/16/2004 abiword-2.0.12-4.fc3 update
    arbitrary code execution fix

Backport fix to stop #rh139201# crash on CTRL-A and making font changes

http://www.linuxsecurity.com/advisories/fedora_advisory-5178.html

 
  11/16/2004 authd-1.4.3-1 update
    arbitrary code execution fix

fix double-free prob detected on x86_64 glibc (#136392)

http://www.linuxsecurity.com/advisories/fedora_advisory-5182.html

 
  11/16/2004 gaim-1.0.3-0.FC3 update
    arbitrary code execution fix

1.0.3 another bugfix release

http://www.linuxsecurity.com/advisories/fedora_advisory-5183.html

 
  11/17/2004 xorg-x11-6.7.0-10 update
    arbitrary code execution fix

Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim.

http://www.linuxsecurity.com/advisories/fedora_advisory-5191.html

 
  11/17/2004 xorg-x11-6.8.1-12.FC3.1 update
    arbitrary code execution fix

Several integer overflow flaws in the X.Org libXpm library used to decode XPM (X PixMap) images have been found and addressed. An attacker could create a carefully crafted XPM file which would cause an application to crash or potentially execute arbitrary code if opened by a victim.

http://www.linuxsecurity.com/advisories/fedora_advisory-5192.html

 
 
Distribution: FreeBSD
  11/18/2004 fetch
    Overflow error

An integer overflow condition in the processing of HTTP headers can result in a buffer overflow.

http://www.linuxsecurity.com/advisories/freebsd_advisory-5195.html

 
 
Distribution: Gentoo
  11/16/2004 Ruby
    Denial of Service issue

The CGI module in Ruby can be sent into an infinite loop, resulting in a Denial of Service condition.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5173.html

 
  11/16/2004 BNC
    Buffer overflow vulnerability

BNC contains a buffer overflow vulnerability that may lead to Denial of Service and execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5174.html

 
  11/17/2004 Squirrelmail
    Encoded text XSS vulnerability

Squirrelmail fails to properly sanitize user input, which could lead to a compromise of webmail accounts.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5189.html

 
  11/17/2004 GIMPS, SETI@home, ChessBrain Insecure installation
    Encoded text XSS vulnerability

Improper file ownership allows user-owned files to be run with root privileges by init scripts.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5190.html

 
 
Distribution: Mandrake
  11/17/2004 gd
    integer overflows fix

Integer overflows were reported in the GD Graphics Library (libgd) 2.0.28, and possibly other versions. These overflows allow remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx() function.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5185.html

 
  11/17/2004 sudo
    vulnerability fix

Liam Helmer discovered a flow in sudo’s environment sanitizing. This flaw could allow a malicious users with permission to run a shell script that uses the bash shell to run arbitrary commands.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5186.html

 
  11/17/2004 Apache
    buffer overflow fix

A possible buffer overflow exists in the get_tag() function of mod_include, and if SSI (Server Side Includes) are enabled, a local attacker may be able to run arbitrary code with the rights of an httpd child process.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5187.html

 
  11/17/2004 Apache2
    request DoS fix

A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan Trivedi; he found that by sending a large amount of specially- crafted HTTP GET requests, a remote attacker could cause a Denial of Service on the httpd server.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5188.html

 
  11/18/2004 bootloader-utils kheader issue fix
    request DoS fix

A problem with generating kernel headers exists when using the newer kernel-i686-up-64GB package. The updated bootloader-utils package corrects the issue.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5196.html

 
  11/18/2004 totem
    problem with blue screen fix

There is a problem in the totem package where in some cases when running totem a blue screen would appear. Resizing the screen seems to fix the problem temporarily, however upon minimizing or maximizing the screen it would once again become blue.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5197.html

 
  11/18/2004 drakxtools
    various issues fix

A number of fixes are available in the updated drakxtools package.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5198.html

 
 
Distribution: Red Hat
  11/12/2004 httpd
    security issue and bugs fix

Updated httpd packages that include fixes for two security issues, as well as other bugs, are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5163.html

 
  11/12/2004 freeradius
    security flaws fix

Updated freeradius packages that fix a number of denial of service vulnerabilities as well as minor bugs are now available for Red Hat Enterprise Linux 3.

http://www.linuxsecurity.com/advisories/redhat_advisory-5164.html

 
  11/12/2004 libxml2
    security vulnerabilities fix

An updated libxml2 package that fixes multiple buffer overflows is now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5165.html

 
  11/16/2004 samba
    security vulnerabilities fix

Updated samba packages that fix various security vulnerabilities are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5179.html

 
 
Distribution: Suse
  11/15/2004 samba
    remote buffer overflow

There is a problem in the Samba file sharing service daemon, which allows a remote user to have the service consume lots of computing power and potentially crash the service by querying special wildcarded filenames.

http://www.linuxsecurity.com/advisories/suse_advisory-5171.html

 
  11/17/2004 xshared, XFree86-libs, xorg-x11-libs remote system compromises
    remote buffer overflow

The XPM library which is part of the XFree86/XOrg project is used by several GUI applications to process XPM image files. A source code review done by Thomas Biege of the SuSE Security-Team revealed several different kinds of bugs.

http://www.linuxsecurity.com/advisories/suse_advisory-5184.html

 
 
Distribution: Trustix
  11/16/2004 gd
    samba sqlgrey sudo Various security fixes

gd is a graphics library. It allows your code to quickly draw images complete with lines, arcs, text, multiple colors, cut and paste from other images, and flood fills, and write out the result as a PNG or JPEG file.

http://www.linuxsecurity.com/advisories/trustix_advisory-5175.html

 
  11/16/2004 apache
    automake bind console-tools Package bugfix

Apache is a full featured web server that is freely available, and also happens to be the most widely used.

http://www.linuxsecurity.com/advisories/trustix_advisory-5176.html

 
  11/16/2004 iptables
    Loading too many modules

Olaf Rempel pointed out that the list of modules we autoload is too large. This has now been fixed.

http://www.linuxsecurity.com/advisories/trustix_advisory-5177.html

 
  11/16/2004 gd
    samba sqlgrey sudo several overflows

There has been found serveral overflows in gd. This can be used to execute arbitary code in programs using the gd library.

http://www.linuxsecurity.com/advisories/trustix_advisory-5181.html