Linux Advisory Watch – December 10, 2004

65

Author: Preston St. Pierre

This week, advisories were released for hpsockd, viewvcs, nfs-util, cyrus-imapd,
netatalk, gaim, rhpl, ttfonts, mc, udev, gnome-bluetooth, rsh, mysql, libpng,
glib, gtk, postgresql, shadow-utils, perl, mirrorselect, drakxtools, dietlib,
gzip, rp-ppoe, openssl, ImageMagick, samba, and cups. The distributors include
Debian, Fedora, Gentoo, Mandrake, Red Hat, SuSE, Trustix, and Turbo Linux.

Packet Sniffers

One of the most common ways intruders gain access to more systems
on your network is by employing a packet sniffer on a already
compromised host. This “sniffer” just listens on the Ethernet port
for things like passwd and login and su in the packet stream and
then logs the traffic after that. This way, attackers gain passwords
for systems they are not even attempting to break into. Clear-text
passwords are very vulnerable to this attack.

Example: Host A has been compromised. Attacker installs a sniffer.
Sniffer picks up admin logging into Host B from Host C. It gets the
admins personal password as they login to B. Then, the admin does a
su to fix a problem. They now have the root password for Host B.
Later the admin lets someone telnet from his account to Host Z on
another site. Now the attacker has a password/login on Host Z.

In this day and age, the attacker doesn’t even need to compromise a
system to do this: they could also bring a laptop or pc into a
building and tap into your net.

Using ssh or other encrypted password methods thwarts this attack.
Things like APOP for POP accounts also prevents this attack. (Normal
POP logins are very vulnerable to this, as is anything that sends
clear-text passwords over the network.)

    Debian
  Debian: hpsockd denial of service fix
  3rd, December, 2004

“infamous41md” discovered a buffer overflow condition in hpsockd,
the socks server written at Hewlett-Packard. An exploit could cause the
program to crash or may have worse effect.

http://www.linuxsecurity.com/content/view/117313

 
  Debian: viewcvs information leak fix
  6th, December, 2004

Hajvan Sehic discovered several vulnerabilities in viewcvs,
a utility for viewing CVS and Subversion repositories via HTTP. When exporting
a repository as a tar archive the hide_cvsroot and forbidden settings
were not honoured enough.

http://www.linuxsecurity.com/content/view/117392

 
  Debian: nfs-util denial of service fix
  8th, December, 2004

SGI has discovered that rpc.statd from the nfs-utils package,
the Network Status Monitor, did not ignore the “SIGPIPE”. Hence, a client
prematurely terminating the TCP connection could also terminate the server
process.

http://www.linuxsecurity.com/content/view/117423

 
    Fedora
  Fedora: cyrus-imapd-2.2.10-3.fc2 update
  3rd, December, 2004

The recent update to cyrus-imapd-2.2.10-1.fc2 for security exploits
revealed a package installation problem.

http://www.linuxsecurity.com/content/view/117366

 
  Fedora: cyrus-imapd-2.2.10-3.fc3 update
  3rd, December, 2004

The recent update to cyrus-imapd-2.2.10-1.fc3 for security exploits
revealed a package installation problem. If the main configuration files
for cyrus-imapd

http://www.linuxsecurity.com/content/view/117367

 
  Fedora: netatalk-1.6.4-2.2 update
  6th, December, 2004

Fix to temp file vulnerability in /etc/psf/etc2ps

http://www.linuxsecurity.com/content/view/117395

 
  Fedora: netatalk-1.6.4-4 update
  6th, December, 2004

Fix temp file vulnerability in /etc/psf/etc2ps

http://www.linuxsecurity.com/content/view/117396

 
  Fedora: gaim-1.1.0-0.FC2 update
  6th, December, 2004

Gaim allows you to talk to anyone using a variety of messaging
protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger,
Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented
using a modular, easy to use design. To use a protocol, just add an account
using the account editor.

http://www.linuxsecurity.com/content/view/117397

 
  Fedora: gaim-1.1.0-0.FC3 update
  6th, December, 2004

Gaim allows you to talk to anyone using a variety of messaging
protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!, MSN Messenger,
Jabber, Gadu-Gadu, Napster, and Zephyr. These protocols are implemented
using a modular, easy to use design. To use a protocol, just add an account
using the account editor.

http://www.linuxsecurity.com/content/view/117398

 
  Fedora: rhpl-0.148.1-2 update
  6th, December, 2004

Remove synaptics requires (#137935)

http://www.linuxsecurity.com/content/view/117399

 
  Fedora: ttfonts-ja-1.2-36.FC3.0 update
  7th, December, 2004

reverted the previous changes so that it broke ghostscript working.
(#139798)

http://www.linuxsecurity.com/content/view/117404

 
  Fedora: mc-4.6.1-0.11FC3 update
  7th, December, 2004

The updated version of Midnight Commander contains finished
CAN-2004-0494 security fixes in extfs scripts and has better support for
UTF-8, contains subshell prompt fixes and enhanced large file support.

http://www.linuxsecurity.com/content/view/117417

 
  Fedora: udev-039-10.FC3.4 update
  7th, December, 2004

udev is a implementation of devfs in userspace using sysfs and
/sbin/hotplug. It requires a 2.6 kernel to run properly.

http://www.linuxsecurity.com/content/view/117418

 
  Fedora: udev-039-10.FC3.5 update
  7th, December, 2004

fixed udev.rules for cdrom symlinks (bug 141897)

http://www.linuxsecurity.com/content/view/117419

 
  Fedora: gnome-bluetooth-0.5.1-5.FC3.1
update
  7th, December, 2004

fixed again gnome-bluetooth-manager script for 64bit (bug 134864)

http://www.linuxsecurity.com/content/view/117420

 
  Fedora: rsh update
  8th, December, 2004

fixed rexec fails with “Invalid Argument” (#118630)

http://www.linuxsecurity.com/content/view/117432

 
  Fedora: Omni-0.9.2-1.1 update
  8th, December, 2004

This is the 0.9.2 release of the Omni printer driver collection.
It also fixes a library path problem on multilib architectures such as
x86_64.

http://www.linuxsecurity.com/content/view/117433

 
  Fedora: mysql-3.23.58-9.1 update
  8th, December, 2004

fix security issues CAN-2004-0835, CAN-2004-0836, CAN-2004-0837
(bugs #135372, 135375, 135387)

http://www.linuxsecurity.com/content/view/117434

 
  Fedora: libpng-1.2.8-1.fc2 update
  9th, December, 2004

Updates libpng to the current release 1.2.8. For details about
the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html

http://www.linuxsecurity.com/content/view/117439

 
  Fedora: libpng10-1.0.18-1.fc2 update
  9th, December, 2004

Updates libpng10 to the current release 1.0.18. For details
about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html

http://www.linuxsecurity.com/content/view/117440

 
  Fedora: glib2-2.4.8-1.fc2 update
  9th, December, 2004

Updates GLib to the current stable release 2.4.8. For details
about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004-
December/msg00004.html

http://www.linuxsecurity.com/content/view/117441

 
  Fedora: gtk2-2.4.14-1.fc2 update
  9th, December, 2004

Updates GTK+ to the current stable release 2.4.14. For details
about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004-
December/msg00007.html

http://www.linuxsecurity.com/content/view/117442

 
  Fedora: libpng10-1.0.18-1.fc3 update
  9th, December, 2004

Updates libpng10 to the current release 1.0.18. For details
about the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html

http://www.linuxsecurity.com/content/view/117443

 
  Fedora: libpng-1.2.8-1.fc3 update
  9th, December, 2004

Updates libpng to the current release 1.2.8. For details about
the bugs which have been fixed in this release, see http://www.libpng.org/pub/png/libpng.html

http://www.linuxsecurity.com/content/view/117444

 
  Fedora: glib2-2.4.8-1.fc3 update
  9th, December, 2004

Updates GLib to the current stable release 2.4.8. For details
about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004-
December/msg00004.html

http://www.linuxsecurity.com/content/view/117445

 
  Fedora: gtk2-2.4.14-1.fc3 update
  9th, December, 2004

Updates GTK+ to the current stable release 2.4.14. For details
about the bugs which have been fixed in this release, see http://mail.gnome.org/archives/gnome-announce-list/2004-
December/msg00007.html

http://www.linuxsecurity.com/content/view/117446

 
  Fedora: postgresql-odbc-7.3-6.2 update
  9th, December, 2004

This update fixes problems occurring on 64-bit platforms.

http://www.linuxsecurity.com/content/view/117447

 
  Fedora: postgresql-odbc-7.3-8.FC3.1 update
  9th, December, 2004

This update fixes problems occurring on 64-bit platforms.

http://www.linuxsecurity.com/content/view/117448

 
  Fedora: postgresql-7.4.6-1.FC2.1 update
  9th, December, 2004

This update synchronizes PostgreSQL for FC2 with the version
already released in FC3.

http://www.linuxsecurity.com/content/view/117449

 
  Fedora: shadow-utils-4.0.3-55 update
  9th, December, 2004

A regression has been fixed where strict enforcement of POSIX
rules for user and group names prevented Samba 3 from using its “add machine
script” feature with useradd. Also, the maximum length for a username/groupname
is now 31 (previously it was 32). The lastlog command can now handle extremely
large (greater than 4GB) lastlogs.

http://www.linuxsecurity.com/content/view/117452

 
  Fedora: shadow-utils-4.0.3-56 update
  9th, December, 2004

A regression has been fixed where strict enforcement of POSIX
rules for user and group names prevented Samba 3 from using its “add machine
script” feature with useradd. Also, the maximum length for a username/groupname
is now 31 (previously it was 32). The lastlog command can now handle extremely
large (greater than 4GB) lastlogs.

http://www.linuxsecurity.com/content/view/117453

 
    Gentoo
  Gentoo: rssh, scponly Unrestricted command
execution
  3rd, December, 2004

rssh and scponly do not filter command-line options that can
be exploited to execute any command, thereby allowing a remote user to
completely bypass the restricted shell.

http://www.linuxsecurity.com/content/view/117364

 
  Gentoo: PDFlibs Multiple overflows in
the included TIFF library
  6th, December, 2004

PDFlib is vulnerable to multiple overflows, which can potentially
lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117393

 
  Gentoo: imlib Buffer overflows in image
decoding
  6th, December, 2004

Multiple overflows have been found in the imlib library image
decoding routines, potentially allowing execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117394

 
  Gentoo: perl Insecure temporary file
creation
  6th, December, 2004

Perl is vulnerable to symlink attacks, potentially allowing
a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/117402

 
  Gentoo: mirrorselect Insecure temporary
file creation
  7th, December, 2004

mirrorselect is vulnerable to symlink attacks, potentially allowing
a local user to overwrite arbitrary files.

http://www.linuxsecurity.com/content/view/117403

 
    Mandrake
  Mandrake: drakxtools update
  7th, December, 2004

Beginning immediately, all bug reports for stable releases will
be handled via Bugzilla at http://qa.mandrakesoft.com/. The drakbug tool
has been updated to point users of stable releases to Bugzilla.

http://www.linuxsecurity.com/content/view/117405

 
  Mandrake: dietlibc fix
  7th, December, 2004

There was a problem with dietlibc in Mandrakelinux 10.0/amd64
where it would not provide proper support for the AMD64 architecture.
The updated package fixes this.

http://www.linuxsecurity.com/content/view/117406

 
  Mandrake: gzip fix
  7th, December, 2004

The Trustix developers found some insecure temporary file creation
problems in the zdiff, znew, and gzeze supplemental scripts in the gzip
package. These flaws could allow local users to overwrite files via a
symlink attack.

http://www.linuxsecurity.com/content/view/117407

 
  Mandrake: ImageMagick fix
  7th, December, 2004

A vulnerability was discovered in ImageMagick where, due to
a boundary error within the EXIF parsing routine, a specially crafted
graphic image could potentially lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117408

 
  Mandrake: lvml fix
  7th, December, 2004

The Trustix developers discovered that the lvmcreate_initrd
script, part of the lvm1 package, created a temporary directory in an
insecure manner. This could allow for a symlink attack to create or overwrite
arbitrary files with the privileges of the user running the script.

http://www.linuxsecurity.com/content/view/117409

 
  Mandrake: rp-pppoe fix
  7th, December, 2004

Max Vozeler discovered a vulnerability in pppoe, part of the
rp-pppoe package. When pppoe is running setuid root, an attacker can overwrite
any file on the system. Mandrakelinux does not install pppoe setuid root,
however the packages have been patched to prevent this problem.

http://www.linuxsecurity.com/content/view/117410

 
  Mandrake: nfs-utils fix
  7th, December, 2004

SGI developers discovered a remote DoS (Denial of Service) condition
in the NFS statd server. rpc.statd did not ignore the “SIGPIPE” signal
which would cause it to shutdown if a misconfigured or malicious peer
terminated the TCP connection prematurely.

http://www.linuxsecurity.com/content/view/117411

 
  Mandrake: openssl fix
  7th, December, 2004

The Trustix developers found that the der_chop script, included
in the openssl package, created temporary files insecurely. This could
allow local users to overwrite files using a symlink attack.

http://www.linuxsecurity.com/content/view/117412

 
    Trusix
  Trustix: multiple package bugfixes
  9th, December, 2004

amavisd-new
AMaViS is a script that interfaces a mail transport agent (MTA) with one
or more virus scanners.

http://www.linuxsecurity.com/content/view/117437

 
  Trustix: nfs-util Remote denial of service
  9th, December, 2004

SGI developers discovered a remote Denial of Service in the
NFS statd server where it did not ignore the “SIGPIPE” signal. This could
cause the server to shut down if a client terminates prematurely.

http://www.linuxsecurity.com/content/view/117438

 
    Red
Hat
  Red Hat: ImageMagick security vulnerability
fix
  8th, December, 2004

Updated ImageMagick packages that fixes a buffer overflow are
now available.

http://www.linuxsecurity.com/content/view/117431

 
    SuSE
  SuSE: cyrus-imapd remote command execution
  3rd, December, 2004

Stefan Esser reported various bugs within the Cyrus IMAP Server.
These include buffer overflows and out-of-bounds memory access which could
allow remote attackers to execute arbitrary commands as root. The bugs
occur in the pre-authentication phase, therefore an update is strongly
recommended.

http://www.linuxsecurity.com/content/view/117317

 
    TurboLinux
  TurboLinux: samba, cups vulnerabilities
  8th, December, 2004

Two vulnerabilities discovered in Samba. DoS vulnerability in
cups.

http://www.linuxsecurity.com/content/view/117424