Author: JT Smith
Thomas –
This week, advisories were released for chrn, bzip2, pam_ldap, uudecode, inn,
kdegraphics, krb5, heimdal, mozilla, ypserv, mod_ssl, syslog-ng, and lprng. The vendors include Caldera, Debian, EnGarde, Gentoo, Mandrake, and SuSE.
| Package: | chfn |
| Date: | 10-30-2002 |
| Description: | The util-linux package vulnerable to privilege escalation when the “ptmptmp” file is not removed properly when using “chfn” utility. |
| Vendor Alerts: | Caldera:
|
| Package: | bzip2 |
| Date: | 10-29-2002 |
| Description: | bzip2 decompresses files with world-readable permissions before setting the permissions to what is specified in the bzip2 archive, which could allow local users to read the files as they are being decompressed. |
| Vendor Alerts: | Caldera:
|
| Package: | pam_ldap |
| Date: | 10-29-2002 |
| Description: | The pam_ldap module provides authentication for user access to a system by consulting a directory using LDAP. Versions of pam_ldap prior to version 144 include a format string bug in the logging function. |
| Vendor Alerts: | Caldera:
|
| Package: | uudecode |
| Date: | 10-28-2002 |
| Description: | The uudecode utility would create an output file without checking to see if it was about to write to a symlink or a pipe. If a user uses uudecode to extract data into open shared directories, such as /tmp, this vulnerability could be used by a local attacker to overwrite files or lead to privilege escalation. |
| Vendor Alerts: | Caldera:
Gentoo:
|
| Package: | inn |
| Date: | 10-25-2002 |
| Description: | There are several format string coding bugs as well as unsecure open() calls in the inn program. |
| Vendor Alerts: | Caldera:
|
| Package: | kdegraphics |
| Date: | 10-28-2002 |
| Description: | Zen-parse discovered a buffer overflow in gv, a PostScript and PDF viewer for X11. The same code is present in kghostview which is part of the KDE-Graphics package. This problem is triggered by scanning the PostScript file and can be exploited by an attacker sending a malformed PostScript or PDF file. The attacker is able to cause arbitrary code to be run with the privileges of the victim. |
| Vendor Alerts: | Debian:
|
| Package: | krb5 |
| Date: | 10-29-2002 |
| Description: | Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. This kadmind bug has a working exploit code circulating, hence it is considered serious. The MIT krb5 implementation includes support for version 4, including a complete v4 library, server side support for krb4, and limited client support for v4. |
| Vendor Alerts: | Debian:
Mandrake:
Gentoo:
|
| Package: | heimdal |
| Date: | 10-31-2002 |
| Description: | A stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The roken library also contains a vulnerability which could lead to another root exploit. |
| Vendor Alerts: | Debian:
Gentoo:
|
| Package: | mozilla |
| Date: | 10-31-2002 |
| Description: | Numerous security fixes are available in Mozilla 1.0.1. For a detailed list, refer to the “Recently fixed security issues” page on the Mozilla website (see the first reference). All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla. |
| Vendor Alerts: | Mandrake:
|
| Package: | ypserv |
| Date: | 10-28-2002 |
| Description: | Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. |
| Vendor Alerts: | Gentoo:
|
| Package: | mod_ssl |
| Date: | 10-27-2002 |
| Description: | Thorsten Kukuck discovered a problem in the ypserv program which is part of the Network Information Services (NIS). A memory leak in all versions of ypserv prior to 2.5 is remotely exploitable. When a malicious user could request a non-existing map the server will leak parts of an old domainname and mapname. |
| Vendor Alerts: | Gentoo:
EnGarde:
|
| Package: | syslog-ng |
| Date: | 10-31-2002 |
| Description: | While reviewing the syslog-ng fixes made in ESA-20021016-025, Sebastian Krahmer discovered that the fixes were not sufficient. This update does a better job of fixing the buffer overflow and supersedes ESA-20021016-025. |
| Vendor Alerts: | EnGarde:
SuSE:
|
| Package: | lprng |
| Date: | 10-31-2002 |
| Description: | The lprng package contains the “runlpr” program which allows the lp user to execute the lpr program as root. Local attackers can pass certain commandline arguments to lpr running as root, fooling it to execute arbitrary commands as root. This has been fixed. Note that this vulnerability can only be exploited if the attacker has previously gained access to the lp account. |
| Vendor Alerts: | SuSE:
|
