Showing all newswire headlines

Traceroute is a tool that can be used to track packets in a TCP/IP network to determine it's route or to find out about not working routers. Traceroute-nanog requires root privilege to open a raw socket. It does not relinquish these privileges after doing so. This allows a malicious user to gain root access by exploiting a buffer overflow at a later point.

During a security review, the SuSE security team has found two vulnerabilities in the KDE lanbrowsing service.

PHP versions up to and including 4.

iDEFENSE reports a security vulnerability in the klisa package, that provides a LAN information service similar to "Network Neighbourhood", which was discovered by Texonet. It is possible for a local attacker to exploit a buffer overflow condition in resLISa, a restricted version of KLISa. The vulnerability exists in the parsing of the LOGNAME environment variable, an overly long value will overwrite the instruction pointer thereby allowing an attacker to seize control of the executable.

The security update for Squirrelmail (DSA 191-1) unfortunately introduced a bug in the options page. This problem is fixed in version 1.2.6-1.2 the current stable distribution (woody). The unstable distribution (sid) and the old stable distribution (potato) were not affected by this. For completeness please find below the original security advisory:

The SuSE Security Team found a vulnerability in html2ps, a HTML to PostScript converter, that opened files based on unsanitized input insecurely. This problem can be exploited when html2ps is installed as filter within lrpng and the attacker has previously gained access to the lp account.

A vulnerability was discovered in Mail::Mailer perl module by the SuSE security team during an audit. The vulnerability allows remote attackers to execute arbitrary commands in certain circumstances due to the usage of mailx as the default mailer, a program that allows commands to be embedded in the mail body.

A buffer overflow vulnerability exists in nss_ldap versions prior to 198. When nss_ldap is configured without a value for the "host" keyword, it attempts to configure itself using SRV records stored in DNS. nss_ldap does not check that the data returned by the DNS query will fit into an internal buffer, thus exposing it to an overflow.

Several cross site scripting vulnerabilities have been found in squirrelmail, a feature-rich webmail package written in PHP4. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

A remotely exploitable stack buffer overflow has been found in the Kerberos v4 compatibility administration daemon distributed with the Red Hat Linux krb5 packages.

Al Viro found a problem in the image handling code use in Window Maker, a popular NEXTSTEP like window manager. When creating an image it would allocate a buffer by multiplying the image width and height, but did not check for an overflow. This makes it possible to overflow the buffer. This could be exploited by using specially crafted image files (for example when previewing themes).

Updated glibc packages are available to fix a buffer overflow in the resolver.

iDEFENSE reported about a vulnerability in LuxMan, a maze game for GNU/Linux, similar to the PacMan arcade game. When successfully exploited it a local attacker with read write access to the Memory, leading to a local root compromise in many ways, examples of which include scanning the file for fragments of the master password file and modifying kernel memory to re-map system calls.

According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several vulnerabilities have been found in the Apache package, a commonly used webserver. Most of the code is shared between the Apache and Apache-SSL packages, so vulnerabilities are shared as well. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack, or steal cookies from other web site users. Vulnerabilities in the included lecacy programs htdigest, htpasswd and ApacheBench can be exploited when called via CGI. Additionally the insecure temporary file creation in htdigest and htpasswd can also be exploited locally. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

The SuSE Security Team reviewed critical Perl modules, including the Mail::Mailer package. This package contains a security hole which allows remote attackers to execute arbitrary commands in certain circumstances. This is due to the usage of mailx as default mailer which allows commands to be embedded in the mail body. Vulnerable to this attack are custom auto reply programs or spam filters which use Mail::Mailer directly or indirectly.

According to David Wagner, iDEFENSE and the Apache HTTP Server Project, several remotely exploitable vulnerabilities have been found in the Apache package, a commonly used webserver. These vulnerabilities could allow an attacker to enact a denial of service against a server or execute a cross scripting attack. The Common Vulnerabilities and Exposures (CVE) project identified the following vulnerabilities:

Enrico Zini discovered a buffer overflow in log2mail, a daemon for watching logfiles and sending lines with matching patterns via mail. The log2mail daemon is started upon system boot and runs as root. A specially crafted (remote) log message could overflow a static buffer, potentially leaving log2mail to execute arbitrary code as root.

Numerous security fixes are available in Mozilla 1.0.1. For a detailed list, refer to the "Recently fixed security issues" page on the Mozilla website (see the first reference). All users are encouraged to upgrade to this latest stable 1.0.x release of Mozilla.

A stack buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server was discovered, which is provided by Heimdal as well. A working exploit for this kadmind bug is already circulating, hence it is considered serious. The roken library also contains a vulnerability which could lead to another root exploit.

The lprng package contains the "runlpr" program which allows the lp user to execute the lpr program as root. Local attackers can pass certain commandline arguments to lpr running as root, fooling it to execute arbitrary commands as root. This has been fixed. Note that this vulnerability can only be exploited if the attacker has previously gained access to the lp account.