Linux Advisory Watch – November 26, 2004

26

Author: Preston St. Pierre

This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus,
yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86, libxpm4,
a2ps, zip, kdebase, and kdelibs. The distributors include Conectiva, Debian,
Fedora, Gentoo, Mandrake, Openwall, and Trustix.

Security Basics

In the ever-changing world of global data communications, inexpensive Internet
connections, and fast-paced software development, security is becoming more
and more of an issue. Security is now a basic requirement because global computing
is inherently insecure. As your data goes from point A to point B on the Internet,
for example, it may pass through several other points along the way, giving
other users the opportunity to intercept, and even alter, your data. Even other
users on your system may maliciously transform your data into something you
did not intend. Unauthorized access to your system may be obtained by intruders,
also known as “crackers”, who then use advanced knowledge to impersonate you,
steal information from you, or even deny you access to your own resources. If
you’re still wondering what the difference is between a “Hacker” and a “Cracker”,
see Eric Raymond’s document, “How to Become A Hacker”, available at: http://www.catb.org/~esr/faqs/hacker-howto.html

How Vulnerable Are We?

While it is difficult to determine just how vulnerable a particular
system is, there are several indications we can use:

  • The Computer Emergency Response Team consistently reports an increase in
    computer vulnerabilities and exploits.
  • TCP and UDP, the protocols that comprise the Internet, were not written
    with security as their first priority when it was created more than 30 years
    ago.
  • A version of software on one host has the same vulnerabilities as the same
    version of software on another host. Using this information, an intruder can
    exploit multiple systems using the same attack method.
  • Many administrators don’t even take simple security measures necessary to
    protect their site, or don’t understand the ramifications of implementing
    some services. Many administrators are not given the additional time necessary
    to integrate the necessary security measures.

 
Distribution: Conectiva
  11/23/2004 shadow-utils authentication bypass vulnerability fix
   

Martin Schulze reported a vulnerability[2] in the passwd_check()
function in “libmisc/pwdcheck.c” which is used by chfn and chsh and
thus may allow a local attacker to use them to change the standard
shell of other users or modify their GECOS information (full name,
phone number…).

http://www.linuxsecurity.com/advisories/conectiva_advisory-5223.html

 
  11/23/2004 bugzilla
    remote vulnerability fix

Bugzilla versions prior to 2.16.7 have a vulnerability[3] which allows
a remote user to remove keywords from a ticket even without the
necessary permissions. Such an action, however, would trigger the usual
e-mail detailing the changes, making it easy to discover what happened
and what was changed.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5224.html

 
  11/25/2004 samba
    denial of service vulnerability fix

Karol Wiesek found a vulnerability[2] in the input validation routines
in Samba 3.x used to match filename strings containing wildcard
characters that may allow a remote attacker to consume abnormal amounts
of CPU cycles.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5234.html

 
 
Distribution: Debian
  11/24/2004 bnc
    buffer overflow

Leon Juranic discovered that BNC, an IRC session bouncing proxy, does
not always protect buffers from being overwritten. This could exploited
by a malicious IRC server to overflow a buffer of limited size and
execute arbitrary code on the client host.

http://www.linuxsecurity.com/advisories/debian_advisory-5227.html

 
  11/24/2004 sudo
    privilege escalation fix

Liam Helmer noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. Bash functions and the CDPATH variable are still passed
through to the program running as privileged user, leaving
possibilities to overload system routines.

http://www.linuxsecurity.com/advisories/debian_advisory-5228.html

 
  11/24/2004 sudo
    removes debug output

Liam Helmer noticed that sudo, a program that provides limited super
user privileges to specific users, does not clean the environment
sufficiently. Bash functions and the CDPATH variable are still passed
through to the program running as privileged user, leaving
possibilities to overload system routines.

http://www.linuxsecurity.com/advisories/debian_advisory-5229.html

 
  11/25/2004 Cyrus
    IMAP arbitrary code execution fix

Stefan Esser discovered several security related problems in the Cyrus
IMAP daemon. Due to a bug in the command parser it is possible to
access memory beyond the allocated buffer in two places which could
lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/debian_advisory-5240.html

 
  11/25/2004 yardradius
    arbitrary code execution fix

Max Vozeler noticed that yardradius, the YARD radius authentication and
accounting server, contained a stack overflow similar to the one from
radiusd which is referenced as CAN-2001-0534. This could lead to the
execution of arbitrary code as root.

http://www.linuxsecurity.com/advisories/debian_advisory-5241.html

 
  11/25/2004 tetex-bin arbitrary code execution
    arbitrary code execution fix

Chris Evans discovered several integer overflows in xpdf, that are also
present in tetex-bin, binary files for the teTeX distribution, which
can be exploited remotely by a specially crafted PDF document and lead
to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/debian_advisory-5242.html

 
 
Distribution: Fedora
  11/19/2004 system-config-users-1.2.28-0.fc3.1 update
    arbitrary code execution fix

check for running processes of a user about to be deleted (#132902)

http://www.linuxsecurity.com/advisories/fedora_advisory-5205.html

 
  11/19/2004 system-config-users-1.2.28-0.fc2.1 update
    arbitrary code execution fix

check for running processes of a user about to be deleted (#132902)

http://www.linuxsecurity.com/advisories/fedora_advisory-5206.html

 
  11/19/2004 rhgb-0.16.1-1.FC3 update
    arbitrary code execution fix

This should fix the problem where rhgb blocks the boot process when X
fails to initialize correctly, as well as the one preventing vncserver
to start when rhgb is used.

http://www.linuxsecurity.com/advisories/fedora_advisory-5207.html

 
  11/22/2004 redhat-menus-3.7-2.2.fc3 update
    arbitrary code execution fix

This update adds additional file types to the list of file types
associated with the OpenOffice.org application suite, allowing users to
open more documents with OpenOffice.org through Nautilus and Evolution.


http://www.linuxsecurity.com/advisories/fedora_advisory-5213.html

 
  11/22/2004 kernel-2.6.9-1.6_FC2 update
    arbitrary code execution fix

This update brings a rebase to 2.6.9, including various security fixes
incorporated into the upstream kernel, and also includes Alan Cox’s -ac
patchset, which adds additional security fixes.

http://www.linuxsecurity.com/advisories/fedora_advisory-5214.html

 
  11/22/2004 kernel-2.6.9-1.681_FC3 update
    arbitrary code execution fix

This update brings an updated -ac patch which which adds several
security fixes, and various other fixes that have occured since the
release of Fedora Core 3.

http://www.linuxsecurity.com/advisories/fedora_advisory-5215.html

 
  11/22/2004 redhat-menus-3.7.1-1.fc3 update
    arbitrary code execution fix

This update fixes the missing evolution icon bug (#rh138282).

http://www.linuxsecurity.com/advisories/fedora_advisory-5216.html

 
  11/23/2004 system-config-display-1.0.24-1 update
    arbitrary code execution fix

This fixes tracebacks experienced by some users with dual head support

http://www.linuxsecurity.com/advisories/fedora_advisory-5217.html

 
  11/24/2004 system-config-samba-1.2.22-0.fc3.1 update
    arbitrary code execution fix

add missing options (#137756)

http://www.linuxsecurity.com/advisories/fedora_advisory-5230.html

 
  11/24/2004 system-config-samba-1.2.22-0.fc2.1 update
    arbitrary code execution fix

add missing options (#137756), don’t raise exception when writing
/etc/samba/smb.conf (#135946), updated translations

http://www.linuxsecurity.com/advisories/fedora_advisory-5231.html

 
  11/25/2004 AbiWord
    bug fixes

Fixes for tempnam usages and startup geometry crashes

http://www.linuxsecurity.com/advisories/fedora_advisory-5232.html

 
 
Distribution: Gentoo
  11/19/2004 X.org, Xfree vulnerabilities
    bug fixes

libXpm contains several vulnerabilities that could lead to a Denial of Service and arbitrary code execution.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5209.html

 
  11/19/2004 unarj
    Long filenames buffer overflow and a path traversal vulnerability

unarj contains a buffer overflow and a directory traversal
vulnerability. This could lead to overwriting of arbitrary files or the
execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5210.html

 
  11/23/2004 pdftohtml
    Vulnerabilities in included Xpdf

pdftohtml includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to execution of arbitrary code upon converting a malicious
PDF file.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5219.html

 
  11/23/2004 ProZilla
    Multiple vulnerabilities

ProZilla contains several buffer overflow vulnerabilities that can be
exploited by a malicious server to execute arbitrary code with the
rights of the user running ProZilla.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5220.html

 
  11/23/2004 phpBB
    Remote command execution

phpBB contains a vulnerability which allows a remote attacker to
execute arbitrary commands with the rights of the web server user.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5221.html

 
  11/24/2004 TWiki
    Arbitrary command execution

A bug in the TWiki search function allows an attacker to execute
arbitrary commands with the permissions of the user running TWiki.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5222.html

 
  11/25/2004 Cyrus
    IMAP Multiple remote vulnerabilities

The Cyrus IMAP Server contains multiple vulnerabilities which could lead to remote execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5233.html

 
 
Distribution: Mandrake
  11/23/2004 XFree86
    vulnerabilities fix

A source code review of the XPM library, done by Thomas Biege of the
SuSE Security-Team revealed several different kinds of bugs. These bugs
include integer overflows, out-of-bounds memory access, shell command
execution, path traversal, and endless loops.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5225.html

 
  11/23/2004 libxpm4
    vulnerabilities fix

A source code review of the XPM library, done by Thomas Biege of the
SuSE Security-Team revealed several different kinds of bugs. These bugs
include integer overflows, out-of-bounds memory access, shell command
execution, path traversal, and endless loops.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5226.html

 
  11/25/2004 Cyrus
    IMAP multiple vulnerabilities

A number of vulnerabilities in the Cyrus-IMAP server were found by
Stefan Esser. Due to insufficient checking within the argument parser
of the ‘partial’ and ‘fetch’ commands, a buffer overflow could be
exploited to execute arbitrary attacker-supplied code.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5235.html

 
  11/25/2004 a2ps
    vulnerability fix

The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitray commands with the
privileges of the user running the vulnerable application.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5236.html

 
  11/25/2004 zip
    vulnerability fix

A vulnerability in zip was discovered where zip would not check the
resulting path length when doing recursive folder compression, which
could allow a malicious person to convince a user to create an archive
containing a specially-crafted path name.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5237.html

 
  11/26/2004 kdebase
    various bugs fixes

A number of bugs in kdebase are fixed with this update.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5238.html

 
  11/26/2004 kdelibs
    various bugs fix

A number of bugs in kdelibs are fixed with this update.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5239.html

 
 
Distribution: Openwall
  11/23/2004 2.4.28-ow1 security-related bugs
    various bugs fix

Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of security-related
bugs, including the ELF loader vulnerabilities discovered by Paul
Starzetz (confirmed: ability for users to read +s-r binaries;
potential: local root), a race condition with reads from Unix domain
sockets (potential local root), smbfs support vulnerabilities
discovered by Stefan Esser (confirmed: remote DoS by a malicious smbfs
server; potential: remote root by a malicious smbfs server).

http://www.linuxsecurity.com/advisories/openwall_advisory-5218.html

 
 
Distribution: Trustix
  11/22/2004 apache, kernel, sudo Multiple vulnerabilities
    various bugs fix

An issue was discovered where the field length limit was not enforced
for certain malicious requests. This could lead to a remote denial of
service attack.

http://www.linuxsecurity.com/advisories/trustix_advisory-5211.html

 
  11/22/2004 amavisd-new, anaconda, courier-imap, ppp, setup, spamassassin, swup, tftp-hpa, tsl-utils Package bugfixes
    various bugs fix

amavisd-new: Add tmpwatch of the virusmails directory to keep it from
growing infinitely. Anaconda: Increase ramdisk-size as needed by
netboot floppy. Courier-imap: Now use $HOME/Maildir.

http://www.linuxsecurity.com/advisories/trustix_advisory-5212.html