Author: Kelley Greenman
Libtasn1: arbitrary code execution vulnerability
This week, Gentoo and Mandriva issued advisories addressing Evgeny Legerov’s January 31st discovery of several instances of possible out-of-bounds access in the Distinguished Encoding Rules (DER) decoding and encoding schemes of Libtasn1. Libtasn1 is the standalone library written for GnuTLS handling of X.509 certificates. In GNU Shishi, Libtasn1 handles Kerberos packets. Reports indicate that the vulnerabilities have been found in Libtasn1 prior to 0.2.18 and in GnuTLS prior to 1.2.10.
The vulnerability can be triggered when a remote attacker sends an invalid X.509 certificate which can possibly crash the server process, and gain escalated privileges. With escalated privileges, a remote attacker could execute arbitrary code.
In his security advisory, Simon Josefsson invited further testing, providing a “self test that triggers three bugs in the old libtasn1.” Josefsson also released a diff comparing Libtasn1 0.2.17 and Libtasn1 0.2.18.
To fix this vulnerability, it’s necessary to change several internal function signatures. Since, the GnuTLS library also uses those functions, it’s also important to update the library.
Debian: noweb — insecure temporary file
February 13, 2006
Debian’s advisory states:
Javier Fernández-Sanguino Peña from the Debian SecurityAudit project discovered that a script in noweb, a web like literate-programming
tool, creates a temporary file in an insecure fashion.
Debian: scponly — design error
February 13, 2006
Debian’s advisory states:
Max Vozeller discovered a vulnerability in scponly, autility to restrict user commands to scp and sftp, that could lead
to the execution of arbitrary commands as root. The system is only
vulnerable if the program scponlyc is installed setuid root and if
regular users have shell access to the machine.
Debian: kronolith — missing input sanitizing
February 14, 2006
Debian’s advisory states:
Johannes Greil of SEC Consult discovered several cross-sitescripting vulnerabilities in kronolith, the Horde calendar application.
Debian: Xpdf — buffer overflow
February 14, 2006
Debian’s advisory states:
SUSE researchers discovered heap overflow errors in xpdf,the Portable Document Format (PDF) suite, that can allow attackers
to cause a denial of service by crashing the application or possibly
execute arbitrary code.
Debian: otrs — several vulnerabilities
February 15, 2006
Debian’s advisory states:
Several vulnerabilities have been discovered in otrs, theOpen Ticket Request System, that can be exploited remotely.
Debian: gpdf — buffer overflows
February 15, 2006
Debian’s advisory states:
SUSE researchers discovered heap overflow errors in xpdf,the Portable Document Format (PDF) suite, which is also present in
gpdf, the GNOME version of the Portable Document Format viewer, and
which can allow attackers to cause a denial of service by crashing
the application or possibly execute arbitrary code.
Debian: nfs-user-server — buffer overflow
February 15, 2006
Debian’s advisory states:
Marcus Meissner discovered that attackers can trigger abuffer overflow in the path handling code by creating or abusing existing
symlinks, which may lead to the execution of arbitrary code. This vulnerability
isn’t present in the kernel NFS server. This update includes a bugfix for
attribute handling of symlinks. This fix does not have security implications,
but at the time when this DSA was prepared it was already queued for the
next stable point release, so we decided to include it beforehand.
Debian: libast — buffer overflow
February 15, 2006
Debian’s advisory states:
Johnny Mast discovered a buffer overflow in libast, thelibrary of assorted spiffy things, that can lead to the execution of
arbitrary code. This library is used by eterm which is installed setgid
uid which leads to a vulnerability to alter the utmp file.
Debian: heimdal — several vulnerabilities
Feb 16, 2006
Debian’s advisory states:
Two vulnerabilities have been discovered in heimdal, afree implementation of Kerberos 5.
Fedora: poppler — heap-based buffer overflow
February 10, 2006
Fedora’s advisory states:
Heap-based buffer overflow in Splash.cc in poppler, allowsattackers to cause a denial of service and possibly execute arbitrary code
via crafted splash images that produce certain values that exceed the
width or height of the associated bitmap.
Fedora: xpdf — heap based buffer overflow
February 10, 2006
Fedora’s advisory states:
xpdf contains a heap based buffer overflow in the splashrasterizer engine that can crash kpdf or even execute arbitrary code.
Fedora: kdegraphics — heap based buffer overflow
February 10, 2006
Fedora’s advisory states:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdfcontains a heap based buffer overflow in the splash rasterizer engine
that can crash kpdf or even execute arbitrary code.
Fedora: gnutls — vulnerability
February 10, 2006
Fedora’s advisory states:
Fix for CVE-2006-0645.
Gentoo: xpdf, poppler — heap overflow
February 12, 2006
Gentoo’s advisory states:
Xpdf and Poppler are vulnerable to a heap overflowthat may be exploited to execute arbitrary code.
Gentoo: kdegraphics, kpdf — heap based overflow
February 12, 2006
Gentoo’s advisory states:
KPdf includes vulnerable Xpdf code to handle PDF files,making it vulnerable to the execution
of arbitrary code.
Gentoo: ImageMagick — format string vulnerability
February 13, 2006
Gentoo’s advisory states:
A vulnerability in ImageMagick allows attackers tocrash the application and potentially
execute arbitrary code.
Gentoo: sun-jdk, sun-jre-bin — applet privilege escalation
February 15, 2006
Gentoo’s advisory states:
Sun’s Java Development Kit (JDK) and Java RuntimeEnvironment (JRE) do not adequately constrain applets from privilege
escalation and arbitrary code execution.
Gentoo: libtasn1, gnutls — security flaw in DER decoding
February 16, 2006
Gentoo’s advisory states:
A flaw in the parsing of Distinguished Encoding Rules(DER) has been discovered in libtasn1, potentially resulting in the
execution of arbitrary code.
Gentoo: bomberclone — buffer overflow
February 16, 2006
Gentoo’s advisory states:
BomberClone is vulnerable to a buffer overflow whichmay lead to remote execution of arbitrary code.
Mandriva: ghostscript — several vulnerabilities
February 10, 2006
Mandriva’s advisory states:
A number of bugs have been corrected with this latestghostscript package including a fix when rendering imaged when
converting PostScript to PDF with ps2pdf, a crash when generating PDF
files with the pdfwrite device, several segfaults, a fix for vertical
japanese text, and a number of other fixes.
Mandriva: libtasn1 — out-of-bounds access vulnerability fix
February 13, 2006
Mandriva’s advisory states:
Evgeny Legerov discovered cases of possible out-of-boundsaccess in the DER decoding schemes of libtasn1, when provided with invalid
input. This library is bundled with gnutls. The provided packages have
been patched to correct these issues.
Mandriva: postgresql — updated postgresql packages fix
various bugs
February 14, 2006
Mandriva’s advisory states:
Various bugs in the PostgreSQL 8.0.x branch have beencorrected with the latest 8.0.7 maintenance release which is being
provided for Mandriva Linux 2006 users.
Red Hat: gnutls — denial of service
February 10, 2006
Red Hat’s advisory states:
Updated gnutls packages that fix a security issueare now available for Red Hat Enterprise Linux 4. (CVE-2006-0645)
Red Hat: kdegraphics — heap based buffer overflow
February 13, 2006
Red Hat’s advisory states:
Updated kdegraphics packages that resolve a securityissue in kpdf are now available. (CVE-2006-0301)
Red Hat: libpng — heap based buffer overflow
February 13, 2006
Red Hat’s advisory states:
Updated libpng packages that fix a security issueare now available for Red Hat Enterprise Linux 4. (CVE-2006-0481)
Red Hat: xpdf — heap based buffer overflow
February 13, 2006
Red Hat’s advisory states:
An updated xpdf package that fixes a buffer overflowsecurity issue is now available. (CVE-2006-0301)
Red Hat: bzip2 — several vulnerabilities
February 13, 2006
Red Hat’s advisory states:
Updated bzip2 packages that fix multiple issues arenow available. (CVE-2005-0758, CVE-2005-0953, CVE-2005-1260)
Red Hat: ImageMagick — shell command injection flaw,
format string flaw
February 14, 2006
Red Hat’s advisory states:
Updated ImageMagick packages that fix two securityissues are now available. (CVE-2005-4601, CVE-2006-0082)
SUSE: binutils, kdelibs3, kdegraphics3, koffice, dia, lyx
— local privilege escalation
February 10, 2006
SUSE’s advisory states:
A SUSE specific patch to the GNU linker ‘ld’ removesredundant RPATH and RUNPATH components when linking binaries. Due
to a bug in this routine ld occasionally left empty RPATH components.
When running a binary with empty RPATH components the dynamic linker
tries to load shared libraries from the current directory. By tricking
users into running an affected application in a directory that contains
a specially crafted shared library an attacker could execute arbitrary
code with the user id of the victim.
SUSE: openssh — remote code execution
February 14, 2006
SUSE’s advisory states:
A problem in the handling of scp in openssh could beused to execute commands on remote hosts even using a scp-only
configuration.
Ubuntu: heimdal — privilege escalation flaw
February 09, 2006
Ubuntu’s advisory states:
A privilege escalation flaw has been found in theheimdal rsh (remote shell) server. This allowed an authenticated attacker to overwrite
arbitrary files and gain ownership of them. (CVE-2006-0582)
Ubuntu: unzip — buffer overflow
February 13, 2006
Ubuntu’s advisory states:
A buffer overflow was discovered in the handling of file namearguments. By tricking a user or automated system into processing a
specially crafted, excessively long file name with unzip, an attacker
could exploit this to execute arbitrary code with the user’s
privileges. (CVE-2005-4667)
Ubuntu: xpdf, poppler, kdegraphics — buffer overflow
February 13, 2006
Ubuntu’s advisory states:
The splash image handler in xpdf did not check the validity ofcoordinates. By tricking a user into opening a specially crafted PDF
file, an attacker could exploit this to trigger a buffer overflow
which could lead to arbitrary code execution with the privileges of
the user. The poppler library and kpdf also contain xpdf code, and thus are
affected by the same vulnerability. (CVE-2006-0301)
Ubuntu: linux-source-2.6.12 — denial of service
February 13, 2006
Ubuntu’s advisory states:
Herbert Xu discovered a remote Denial of Service vulnerabilityin the ICMP packet handler. In some situations a memory allocation was released
twice, which led to memory corruption. A remote attacker could exploit this to
crash the machine. (CVE-2006-0454)
Ubuntu: unzip — regression fix
February 15, 2006
Ubuntu’s advisory states:
USN-248-1 fixed a vulnerability in unzip. However, thatupdate inadvertently changed the field order in the contents listing
output, which broke unzip frontends like file-roller. The updated
packages fix this regression.
Ubuntu: libtasn — buffer overflow
February 16, 2006
Ubuntu’s advisory states:
Evgeny Legerov discovered a buffer overflow in the DERformat decoding function of the libtasn library. This library is mainly
used by the GNU TLS library; by sending a specially crafted X.509
certificate to a server which uses TLS encryption/authentication, a
remote attacker could exploit this to crash that server process and
possibly even execute arbitrary code with the privileges of that server.
(CVE-2006-0645)
