Linux.com weekly security update

56

Author: Linux.com Staff

Advisories were released this week for ClamAV, CUPS, ImageMagick, phpMyAdmin, and several other packages. Distributions covered this week are Debian, Fedora Core, Gentoo, Mandriva, SUSE, and Ubuntu.

Debian: clamav — heap overflow
January 21, 2006

Debian’s advisory states:

A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system running ClamAV. In addition, other potential overflows have been corrected.

Debian: cupsys — buffer overflows
January 23, 2006

Debian’s advisory states:

“infamous41md” and Chris Evans discovered several heap based buffer overflows in xpdf which are also present in CUPS, the Common UNIX Printing System, and which can lead to a denial of service by crashing the application or possibly to the execution of arbitrary code.

Debian: trac — missing input sanitising
January 23, 2006

Debian’s advisory states:

Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects.

Debian: libapache-auth-ldap — format string
January 23, 2006

Debian’s advisory states:

“Seregorn” discovered a format string vulnerability in the logging function of libapache-auth-ldap, an LDAP authentication module for the Apache webserver, that can lead to the execution of arbitrary code.

Debian: flyspray — missing input sanitising
January 24, 2006

Debian’s advisory states:

Several cross-site scripting vulnerabilities have been discovered in flyspray, a lightweight bug tracking system, which allows attackers to insert arbitrary script code into the index page.

Debian: clamav — heap overflow
January 25, 2006

Debian’s advisory states:

A heap overflow has been discovered in ClamAV, a virus scanner, which could allow an attacker to execute arbitrary code by sending a carefully crafted UPX-encoded executable to a system running ClamAV. In addition, other potential overflows have been corrected.

Debian: wine — design flaw
January 25, 2006

Debian’s advisory states:

H D Moore has discovered that Wine, a free implementation of the Microsoft Windows APIs, inherits a design flaw from the Windows GDI API, which may lead to the execution of code through GDI escape functions in WMF files.

Debian: mailman — DoS
January 25, 2006

Debian’s advisory states:

Two denial of service bugs were found in the mailman list server. In one, attachment filenames containing UTF8 strings were not properly parsed, which could cause the server to crash. In another, a message containing a bad date string could cause a server crash.

Debian: lsh-server — file descriptor leak
January 26, 2006

Debian’s advisory states:

Stefan Pfetzing discovered that lshd, a Secure Shell v2 (SSH2) protocol server, leaks a couple of file descriptors, related to the randomness generator, to user shells which are started by lshd. A local attacker can truncate the server’s seed file, which may prevent the server from starting, and with some more effort, maybe also crack session keys.

Debian: imagemagick — missing shell meta sanitising
January 26, 2006

Debian’s advisory states:

Florian Weimer discovered that delegate code in ImageMagick is vulnerable to shell command injection using specially crafted file names. This allows attackers to encode commands inside of graphic commands. With some user interaction, this is exploitable through Gnus and Thunderbird.

Debian: drupal — several vulnerabilities
January 27, 2006

Debian’s advisory states:

Several security related problems have been discovered in drupal, a fully-featured content management/discussion engine.

Fedora: kdelibs — heap overflow
January 20, 2006

Fedora’s advisory states:

A heap overflow flaw was discovered affecting kjs, the JavaScript interpreter engine used by Konqueror and other parts of KDE. An attacker could create a malicious web site containing carefully crafted JavaScript code that would trigger this flaw and possibly lead to arbitrary code execution.

Fedora: httpd — memory leak
January 20, 2006

Fedora’s advisory states:

A memory leak in the worker MPM could allow remote attackers to cause a denial of service (memory consumption) via aborted connections, which prevents the memory for the transaction pool from being reused for other connections.

Fedora: openssh — shell expansion
January 23, 2006

Fedora’s advisory states:

This is a minor security update which fixes double shell expansion in local to local and remote to remote copy with scp. It also fixes a few other minor non-security issues.

Gentoo: KDE kjs — URI heap overflow vulnerability
January 22, 2006

Gentoo’s advisory states:

KDE fails to properly validate URIs when handling javascript, potentially resulting in the execution of arbitrary code.

Gentoo: Trac — Cross-site scripting vulnerability
January 26, 2006

Gentoo’s advisory states:

Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

Gentoo: Gallery — Cross-site scripting vulnerability
January 26, 2006

Gentoo’s advisory states:

Gallery is possibly vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

Mandriva: Updated kernel packages fix several vulnerabilities
January 20, 2006

Mandriva’s advisory states:

A number of vulnerabilities have been corrected in the Linux kernel: A race condition in the 2.6 kernel could allow a local user to cause a DoS by triggering a core dump in one thread while another thread has a pending SIGSTOP (CVE-2005-3527). The ptrace functionality in 2.6 kernels prior to 2.6.14.2, using CLONE_THREAD, does not use the thread group ID to check whether it is attaching to itself, which could allow local users to cause a DoS (CVE-2005-3783). The auto-reap child process in 2.6 kernels prior to 2.6.15 include processes with ptrace attached, which leads to a dangling ptrace reference and allows local users to cause a crash (CVE-2005-3784). A locking problem in the POSIX timer cleanup handling on exit on kernels 2.6.10 to 2.6.14 when running on SMP systems, allows a local user to cause a deadlock involving process CPU timers (CVE-2005-3805). The IPv6 flowlabel handling code in 2.4 and 2.6 kernels prior to 2.4.32 and 2.6.14 modifies the wrong variable in certain circumstances, which allows local users to corrupt kernel memory or cause a crash by triggering a free of non-allocated memory (CVE-2005-3806). An integer overflow in 2.6.14 and earlier could allow a local user to cause a hang via 64-bit mmap calls that are not properly handled on a 32-bit system (CVE-2005-3808).

Mandriva: Updated kdelibs packages fix vulnerability
January 20, 2006

Mandriva’s advisory states:

A heap overflow vulnerability was discovered in kjs, the KDE JavaScript interpreter engine. An attacker could create a malicious web site that contained carefully crafted JavaScript code that could trigger the flaw and potentially lead to the arbitrary execution of code as the user visiting the site. The updated packages have been patched to correct this problem.

Mandriva: Updated ipsec-tools packages fix vulnerability
January 25, 2006

Mandriva’s advisory states:

The Internet Key Exchange version 1 (IKEv1) implementation (isakmp_agg.c) in ipsec-tools racoon before 0.6.3, when running in aggressive mode, allows remote attackers to cause a denial of service (null dereference and crash) via crafted IKE packets, as demonstrated by the PROTOS ISAKMP Test Suite for IKEv1. The updated packages have been patched to correct this problem.

Mandriva: Updated mozilla-thunderbird packages fix vulnerability
January 25, 2006

Mandriva’s advisory states:

GUI display truncation vulnerability in Mozilla Thunderbird 1.0.2, 1.0.6, and 1.0.7 allows user-complicit attackers to execute arbitrary code via an attachment with a filename containing a large number of spaces ending with a dangerous extension that is not displayed by Thunderbird, along with an inconsistent Content-Type header, which could be used to trick a user into downloading dangerous content by dragging or saving the attachment. The updated packages have been patched to correct this problem.

Mandriva: Updated perl-Net_SSLeay packages fix vulnerability
January 26, 2006

Mandriva’s advisory states:

Javier Fernandez-Sanguino Pena discovered that the perl Net::SSLeay module used the file /tmp/entropy as a fallback entropy source if a proper source was not set via the environment variable EGD_PATH. This could potentially lead to weakened cryptographic operations if an attacker was able to provide a /tmp/entropy file with known content. The updated packages have been patched to correct this problem.

Mandriva: Updated ImageMagick packages fix vulnerabilities
January 26, 2006

Mandriva’s advisory states:

The delegate code in ImageMagick 6.2.4.x allows remote attackers to execute arbitrary commands via shell metacharacters in a filename that is processed by the display command. (CVE-2005-4601) A format string vulnerability in the SetImageInfo function in image.c for ImageMagick 6.2.3, and other versions, allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via a numeric format string specifier such as %d in the file name, a variant of CVE-2005-0397, and as demonstrated using the convert program. (CVE-2006-0082) The updated packages have been patched to correct these issues.

SUSE: phpMyAdmin — remote code execution
January 26, 2006

SUSE’s advisory states:

Stefan Esser discovered a bug in in the register_globals emulation of phpMyAdmin that allows to overwrite variables. An attacker could exploit the bug to ultimately execute code (CVE-2005-4079). Additionally several cross-site-scripting bugs were discovered (CVE-2005-3787, CVE-2005-3665).

SUSE: nfs-server/rpc.mountd — remote code execution
January 26, 2006

SUSE’s advisory states:

An remotely exploitable problem exists in the rpc.mountd service in the user space NFS server package “nfs-server”. Insufficient buffer space supplied to the realpath() function when processing mount requests can lead to a buffer overflow in the rpc.mountd and allows remote attackers to execute code as the root user.

Ubuntu: kdelibs vulnerability
January 20, 2006

Ubuntu’s advisory states:

Maksim Orlovich discovered that kjs, the Javascript interpreter engine used by Konqueror and other parts of KDE, did not sufficiently verify the validity of UTF-8 encoded URIs. Specially crafted URIs could trigger a buffer overflow. By tricking an user into visiting a web site with malicious JavaScript code, a remote attacker could exploit this to execute arbitrary code with user privileges.

Ubuntu: imagemagick vulnerabilities
January 24, 2006

Ubuntu’s advisory states:

Florian Weimer discovered that the delegate code did not correctly handle file names which embed shell commands (CVE-2005-4601). Daniel Kobras found a format string vulnerability in the SetImageInfo() function (CVE-2006-0082). By tricking a user into processing an image file with a specially crafted file name, these two vulnerabilities could be exploited to execute arbitrary commands with the user’s privileges. These vulnerability become particularly critical if malicious images are sent as email attachments and the email client uses imagemagick to convert/display the images (e. g. Thunderbird and Gnus).

Please send security advisories and notices to editors@ostg.com for inclusion.

Category:

  • Security