LXer Weekly Security Roundup - Apr 12, 2004 to Apr 19, 2004

Conectiva: apache
Apr 13, 2004 9:32 PM
DoS in mod_ssl and log escape sequences vulnerability.

Conectiva: mod_python
Apr 13, 2004 1:21 AM
This update fixes a remote denial of service vulnerabiliy[1] in Apache web-servers which have mod_python enabled (this is not the default in Conectiva Linux). An attacker can crash an apache child process by sending a specially crafted message that triggers the bug in mod_python.

Conectiva: squid
Apr 13, 2004 1:07 AM
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0189 to this issue[2].

Debian: New cvs packages fix multiple vulnerabilities
Apr 17, 2004 2:17 PM
Two vulnerabilities have been discovered and fixed in CVS.

Debian: New Linux 2.4.17 and 2.4.18 packages fix local root exploit (hppa)
Apr 14, 2004 3:45 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 and 2.4.18 for the hppa (PA-RISC) architecture.

Debian: New Linux 2.4.17 packages fix local root exploit (ia64)
Apr 14, 2004 4:11 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the IA-64 architecture.

Debian: New Linux 2.4.17 packages fix local root exploit (mips+mipsel)
Apr 17, 2004 3:12 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the PowerPC/apus and S/390 architectures.

Debian: New Linux 2.4.17 packages fix local root exploit (source+powerpc/apus+s390)
Apr 14, 2004 4:42 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the PowerPC/apus and S/390 architectures.

Debian: New Linux 2.4.18 packages fix local root exploit (i386)
Apr 15, 2004 3:18 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.18 for the i386 architecture. This advisory replaces the i386 part of DSA 479-1 (except for the i386bf part). An unfortunate build error caused some of the kernel packages in DSA 479-1 to be broken.

Debian: New Linux 2.4.18 packages fix local root exploit (source+alpha+i386+powerpc)
Apr 14, 2004 3:23 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.18 for the alpha, i386 and powerpc architectures.

Debian: New Linux 2.4.19 packages fix local root exploit (mips)
Apr 17, 2004 8:49 PM
Several serious problems have been discovered in the Linux kernel. This update takes care of Linux 2.4.17 for the MIPS architecture.

Debian: New logcheck packages fix insecure temporary directory
Apr 17, 2004 2:17 PM
Christian Jaeger reported a bug in logcheck which could potentially be exploited by a local user to overwrite files with root privileges. logcheck utilized a temporary directory under /var/tmp without taking security precautions. While this directory is created when logcheck is installed, and while it exists there is no vulnerability, if at any time this directory is removed, the potential for exploitation exists.

Debian: New mysql packages fix insecure temporary file creation
Apr 14, 2004 5:06 PM
Two vulnerabilities have been discovered in mysql, a common database system. Two scripts contained in the package don't create temporary files in a secure fashion. This could allow a local attacker to overwrite files with the privileges of the user invoking the MySQL server, which is often the root user.

Debian: New neon packages fix format string vulnerabilities
Apr 17, 2004 2:17 PM
Multiple format string vulnerabilities were discovered in neon, an HTTP and WebDAV client library. These vulnerabilities could potentially be exploited by a malicious WebDAV server to execute arbitrary code with the privileges of the process using libneon.

Debian: New perl packages fix information leak in suidperl
Apr 17, 2004 2:17 PM
Paul Szabo discovered a number of similar bugs in suidperl, a helper program to run perl scripts with setuid privileges. By exploiting these bugs, an attacker could abuse suidperl to discover information about files (such as testing for their existence and some of their permissions) that should not be accessible to unprivileged users.

Debian: New ssmtp packages fix format string vulnerabilities
Apr 15, 2004 3:18 PM
Max Vozeler discovered two format string vulnerabilities in ssmtp, a simple mail transport agent. Untrusted values in the functions die() and log_event() were passed to printf-like functions as format strings. These vulnerabilities could potentially be exploited by a remote mail relay to gain the privileges of the ssmtp process (including potentially root).

Debian: New xonix packages fix failure to drop privileges
Apr 15, 2004 3:18 PM
Steve Kemp discovered a vulnerability in xonix, a game, where an external program was invoked while retaining setgid privileges. A local attacker could exploit this vulnerability to gain gid "games".

Debian: New Zope packages fix arbitrary code execution
Apr 17, 2004 8:49 PM
A vulnerability has been discovered in the index support of the ZCatalog plug-in in Zope, an open source web application server. A flaw in the security settings of ZCatalog allows anonymous users to call arbitrary methods of catalog indexes. The vulnerability also allows untrusted code to do the same.

Fedora: Updated kernel packages resolve security vulnerabilities
Apr 14, 2004 4:16 PM
iDefense reported a buffer overflow flaw in the ISO9660 filesystem code. An attacker could create a malicious filesystem in such a way that they could gain root privileges if that filesystem is mounted. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0109 to this issue.

Fedora: Updated squid package fixes a security vulnerability
Apr 15, 2004 6:40 PM
Backport security fix for %00 hole.

Gentoo: CVS Server and Client Vulnerabilities
Apr 15, 2004 3:18 PM
There are two vulnerabilities in CVS; one in the server and one in the client. These vulnerabilities allow the reading and writing of arbitrary files on both client and server.

Mandrake: Updated cvs packages fix remotely exploitable vulnerability
Apr 14, 2004 5:29 PM
Sebastian Krahmer from the SUSE security team discovered a remotely exploitable vulnerability in the CVS client. When doing a cvs checkout or update over a network, the client accepts absolute pathnames in the RCS diff files. A maliciously configured server could then create any file with content on the local user's disk. This problem affects all versions of CVS prior to 1.11.15 which has fixed the problem.

Mandrake: Updated kernel packages fix multiple vulnerabilities
Apr 14, 2004 6:54 PM
A vulnerability was found in the R128 DRI driver by Alan Cox. This could allow local privilege escalation. The previous fix, in MDKSA-2004:015 only partially corrected the problem; the full fix is included (CAN-2004-0003).

Mandrake: Updated tcpdump packages fix several vulnerabilities
Apr 15, 2004 3:18 PM
A number of vulnerabilities were discovered in tcpdump versions prior to 3.8.1 that, if fed a maliciously crafted packet, could be exploited to crash tcpdump.

OpenPKG: OpenPKG Security Advisory (cvs)
Apr 14, 2004 6:54 PM
Sebastian Krahmer from the SuSE Security Team discovered [1] a flaw in Concurrent Versions System (CVS) [0] clients where RCS "diff files" can create files with absolute pathnames. An attacker could create a fake malicious CVS server that would cause arbitrary files to be created or overwritten when a victim connects to it. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0180 [2] to the problem.

OpenPKG: OpenPKG Security Advisory (ethereal)
Apr 16, 2004 4:36 PM
According to a vendor security advisory based on hints from Stefan Esser and Jonathan Heussser, several vulnerabilities of various types exist in the Ethereal network protocol analyzer. Namely, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully malformed packet onto the wire, by convincing someone to read a malformed packet trace file, or by creating a malformed color filter file.

OpenPKG: OpenPKG Security Advisory (mysql)
Apr 14, 2004 9:34 PM
Shaun Colley discovered [1] that the scripts "mysqlbug" and "mysqld_multi" of the MySQL RDBMS [0] perform insecure creations of temporary files. An attacker could create symbolic links in /tmp to achieve the overwriting of files with the privileges of the user invoking the scripts. The RDBMS startup wrapper "mysqld_multi" is currently not used in OpenPKG, although it is contained in the "mysql" package. The "mysqlbug" script could be run manually by the administrator. The Common Vulnerabilities and Exposures (CVE) project assigned the ids CAN-2004-0381 [2] and CAN-2004-0388 [3] to the problem.

OpenPKG: OpenPKG Security Advisory (neon)
Apr 16, 2004 4:53 PM
Greuff of VOID.AT discovered various format string vulnerabilities in the error output handling routines of the Neon HTTP and WebDAV client library. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2004-0179 to the problem.

Red Hat: Updated cadaver package fixes security vulnerability in neon
Apr 14, 2004 2:47 PM
An updated cadaver package that fixes a vulnerability in neon exploitable by a malicious DAV server is now available.

Red Hat: Updated CVS packages fix security issue
Apr 14, 2004 2:47 PM
Updated cvs packages that fix a client vulnerability that could be exploited by a malicious server are now available.

Red Hat: Updated Subversion packages fix security vulnerability in neon
Apr 15, 2004 2:40 PM
Updated Subversion packages that fix a vulnerability in neon, exploitable by a malicious DAV server, are now available.

Slackware: tcpdump denial of service (SSA:2004-108-01)
Apr 17, 2004 8:49 PM
Upgraded tcpdump packages are available for Slackware 8.1, 9.0, 9.1, and -current to fix denial-of-service issues. Sites using tcpdump should upgrade to the new packages.

SUSE: cvs (SuSE-SA:2004:008)
Apr 14, 2004 4:00 PM
During the analyzation of the CVS protocol and their implementation, the SuSE Security Team discovered a flaw within the handling of pathnames. Evil CVS servers could specify absolute pathnames during checkouts and updates, which allows to create arbitrary files with the permissions of the user invoking the CVS client. This could lead to a compromise of the system.

SUSE: Linux Kernel (SuSE-SA:2004:009)
Apr 14, 2004 4:00 PM
iDEFENSE Inc. informed us about a buffer overflow in the linux 2.4 kernel code which handles ISO9660 filesystems. The original code is not able to handle very long symlink names. The vulnerability can be triggered locally by mounting removable media that contains a malformed filesystem or by using the loopback device. Exploiting this buffer overflow results in kernel-level access to the system.

SUSE: Linux Kernel (SuSE-SA:2004:009)
Apr 14, 2004 3:23 PM
iDEFENSE Inc. informed us about a buffer overflow in the linux 2.4 kernel code which handles ISO9660 filesystems. The original code is not able to handle very long symlink names. The vulnerability can be triggered locally by mounting removable media that contains a malformed filesystem or by using the loopback device. Exploiting this buffer overflow results in kernel-level access to the system.

Trustix: kernel
Apr 16, 2004 12:50 PM
zen-parse discovered a buffer overflow vulnerability in the ISO9660 filesystem component of Linux kernel which could be abused by an attacker to gain unauthorised root access. Sebastian Krahmer and Ernie Petrides developed a correction for this.