Linux Advisory Watch – January 7, 2005

30

Author: Benjamin D. Thomas

This week, advisories were released for mplayer, samba, wxgtk, cups, htmlheadline,
nasm, zip, pcal, tiff, namazu, imlib2, selinux, tetex, pcmcia, kernel, mysql,
gpdf, hotplug, linpopup, firefox, shoutcast, mit-kbr5, xine, phpgroupware, xzgv,
vilistextum, vim, mc, and fam. The distributors include Conectiva, Debian, Fedora,
Gentoo, Mandrake, and Red Hat.In order to keep yourself secure you must understand your enemy.
Prevention is the only protection from becoming the victim of a security
exploit. The first step in doing this is to determine what services
your servers offer, so you can secure them in the best manner possible.
Network scanning can be used to determine potential communication
channels. Mapping their existence facilitates the exchange of
information with the host, and thus is quite useful for anyone wishing
to explore their networked environment, including attackers.

Scanning, as a method for discovering exploitable communication channels,
has been around for ages. The idea is to probe as many listeners as
possible, and keep track of the ones that are receptive or useful. Once
these listeners are found, means to exploit the host can be developed.
Unnecessarily offering a particular service to a hacker means another
avenue to exploit the host.

Many different types of scanning are currently available. These range
from a simple ping test to see if the host is alive, network broadcasts,
and even performing a “stealth” attack by manipulating the ICMP, TCP, or
UDP information in a data packet, intentionally violating the protocol
definition in an attempt to trick a firewall.

Becoming familiar with the tools and techniques an attacker might use to
probe a network is the only way to know what information is available if
someone attempts to mount an attack against us. Among the things that
can be determined from port scanning a machine include:

  • Services a host is offering which can then be used to construct the
    appropriate attack based on information gathered from this process
  • If there is in fact a host at the IP address that is being scanned
  • A topology map of our network, which can be used to determine where
    firewalls and other hosts are positioned, trusted relationships between
    those hosts, and routing and DNS information.
  • Operating system identification, vendor release and version, as well
    as applications and their versions
  • Disclosure of the username and owner of any process connected via TCP,
    which can then be used to determine, for example, the username of which
    the web server is running

Linux Security Tip, by Ryan Maple:
http://www.linuxsecurity.com/content/view/117271/141/

 

LinuxSecurity.com
Feature Extras:

A 2005
Linux Security Resolution
– Year 2000, the coming of the new millennium,
brought us great joy and celebration, but also brought great fear. Some believed
it would result in full-scale computer meltdown, leaving Earth as a nuclear
wasteland. Others predicted minor glitches leading only to inconvenience. The
following years (2001-2004) have been tainted with the threat of terrorism worldwide.

State
of Linux Security 2004
– In 2004, security continued to be a major
concern. The beginning of the year was plagued with several kernel flaws and
Linux vendor advisories continue to be released at an ever-increasing rate.
This year, we have seen the reports touting Window’s security superiority, only
to be debunked by other security experts immediately after release. Also, Guardian
Digital launched the new LinuxSecurity.com, users continue to be targeted by
automated attacks, and the need for security awareness and education continues
to rise.

 

Take advantage of our Linux Security discussion
list!
This mailing list is for general security-related questions and comments.
To subscribe send an e-mail to security-discuss-request@linuxsecurity.com
with “subscribe” as the subject.

Thank you for reading the LinuxSecurity.com
weekly security newsletter. The purpose of this document is to provide our readers
with a quick summary of each week’s most relevant Linux security headline
.

   Conectiva
  Conectiva: mplayer vulnerabilities fix
  5th, January, 2005

iDEFENSE[2] found a buffer overflow vulnerability[3] due to
an error in dynamically allocating memory and further investigation by
mplayer team found more vulnerabilities. This announcement fixes these
vulnerabilities.

http://www.linuxsecurity.com/content/view/117769

 
  Conectiva: Samba vulnerabilities fix
  6th, January, 2005

Remote exploitation of an integer overflow vulnerability[2]
in the smbd daemon could allow an attacker to cause controllable heap
corruption, leading to execution of arbitrary commands with root privileges.

http://www.linuxsecurity.com/content/view/117793

 
  Conectiva: wxgtk2 library vulnerabilities
fix
  6th, January, 2005

Several vulnerabilities were found in libtiff, which may also
be in wxGTK library, since it has a private copy of libtiff’s source.

http://www.linuxsecurity.com/content/view/117794

 
   Debian
  Debian: CUPS arbitrary code execution
fix
  31st, December, 2004

An iDEFENSE security researcher discovered a buffer overflow
in xpdf, the Portable Document Format (PDF) suite. Similar code is present
in the PDF processing part of CUPS. A maliciously crafted PDF file could
exploit this problem, leading to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117725

 
  Debian: htmlheadline insecure temporary
files fix
  3rd, January, 2005

Javier Fern‡ndez-Sanguino Pe–a has discovered multiple insecure
uses of temporary files that could lead to overwriting arbitrary files
via a symlink attack.

http://www.linuxsecurity.com/content/view/117726

 
  Debian: nasm arbitrary code execution
fix
  4th, January, 2005

Jonathan Rockway discovered a buffer overflow in nasm, the general-purpose
x86 assembler, which could lead to the execution of arbitrary code when
compiling a maliciously crafted assembler source file.

http://www.linuxsecurity.com/content/view/117756

 
  Debian: zip arbitrary code execution
fix
  5th, January, 2005

A buffer overflow has been discovered in zip, the archiver for
.zip files. When doing recursive folder compression the program did not
check the resulting path length, which would lead to memory being overwritten.
A malicious person could convince a user to create an archive containing
a specially crafted path name, which could lead to the execution of arbitrary
code.

http://www.linuxsecurity.com/content/view/117767

 
  Debian: pcal arbitrary code execution
fix
  5th, January, 2005

Danny Lungstrom discovered two buffer overflows in pcal, a program
to generate Postscript calendars, that could lead to the execution of
arbitrary code when compiling a calendar.

http://www.linuxsecurity.com/content/view/117770

 
  Debian: tiff denial of service fix
  6th, January, 2005

Dmitry V. Levin discovered a buffer overflow in libtiff, the
Tag Image File Format library for processing TIFF graphics files. Upon
reading a TIFF file it is possible to crash the application, and maybe
also to execute arbitrary code.

http://www.linuxsecurity.com/content/view/117780

 
  Debian: namazu2 cross-site scripting
vulnerability fix
  6th, January, 2005

A cross-site scripting vulnerability has been discovered in
namazu2, a full text search engine. An attacker could prepare specially
crafted input that would not be sanitised by namazu2 and hence displayed
verbatim for the victim.

http://www.linuxsecurity.com/content/view/117790

 
  Debian: imlib2 arbitrary code execution
fix
  6th, January, 2005

Pavel Kankovsky discovered that several overflows found in the
libXpm library were also present in imlib and imlib2, imaging libraries
for X11. An attacker could create a carefully crafted image file in such
a way that it could cause an application linked with imlib or imlib2 to
execute arbitrary code when the file was opened by a victim.

http://www.linuxsecurity.com/content/view/117791

 
   Fedora
  Fedora: selinux-policy-targeted-1.17.30-2.62
update
  31st, December, 2004

Fix for postgres startup scripts.

http://www.linuxsecurity.com/content/view/117729

 
  Fedora: tetex-2.0.2-14FC2.1 update
  3rd, January, 2005

The updated tetex package fixes a buffer overflow which allows
attackers to cause the internal xpdf library used by applications in tetex
to crash, and possibly to execute arbitrary code. The Common Vulnerabilities
and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125
to this issue.

http://www.linuxsecurity.com/content/view/117742

 
  Fedora: tetex-2.0.2-21.2 update
  3rd, January, 2005

The updated tetex package fixes a buffer overflow which allows
attackers to cause the internal xpdf library used by applications in tetex
to crash, and possibly to execute arbitrary code. The Common Vulnerabilities
and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125
to this issue.

http://www.linuxsecurity.com/content/view/117743

 
  Fedora: pcmcia-cs-3.2.7-2.1 update
  3rd, January, 2005

This update fixes bug #135508, silencing a warning message on
cardmgr startup.

http://www.linuxsecurity.com/content/view/117750

 
  Fedora: pcmcia-cs-3.2.7-1.8.2.2 update
  3rd, January, 2005

This update fixes bug #135508, silencing a warning message on
cardmgr startup.

http://www.linuxsecurity.com/content/view/117751

 
  Fedora: kernel-2.6.9-1.11_FC2 update
  3rd, January, 2005

A large change over previous kernels has been made. The 4G:4G
memory split patch has been dropped, and Fedora kernels now revert back
to the upstream 3G:1G kernel/userspace split.

http://www.linuxsecurity.com/content/view/117752

 
  Fedora: kernel-2.6.9-1.724_FC3 update
  3rd, January, 2005

A large change over previous kernels has been made. The 4G:4G
memory split patch has been dropped, and Fedora kernels now revert back
to the upstream 3G:1G kernel/userspace split.

http://www.linuxsecurity.com/content/view/117753

 
  Fedora: mysql-3.23.58-14 update
  5th, January, 2005

work around SELinux restriction that breaks mysql_install_db
(bug #141062). Add a restorecon to keep the mysql.log file in the right
context (bz#143887). Fix init script to not need a valid username for
startup check (bz#142328). Don’t assume /etc/my.cnf will specify pid-file
(bz#143724)

http://www.linuxsecurity.com/content/view/117777

 
  Fedora: man-pages-ja-20041215-1.FC3.0
update
  6th, January, 2005

prefer GNU fileutils’s chown(1) rather than gnumaniak’s. (#142077)

http://www.linuxsecurity.com/content/view/117783

 
  Fedora: ruby-1.8.2-1.FC3.0 update
  6th, January, 2005

New upstream release.

http://www.linuxsecurity.com/content/view/117784

 
  Fedora: man-pages-ja-20041215-1.FC2.0
update
  6th, January, 2005

ixed wrong filename for in.rlogind.8 man pages. prefer GNU fileutils’s
chown(1) rather than gnumaniak’s.

http://www.linuxsecurity.com/content/view/117785

 
  Fedora: tetex-2.0.2-14FC2.1 update
  6th, January, 2005

The updated tetex package fixes a buffer overflow which allows
attackers to cause the internal xpdf library used by applications in tetex
to crash, and possibly to execute arbitrary code. The Common Vulnerabilities
and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125
to this issue.

http://www.linuxsecurity.com/content/view/117786

 
  Fedora: tetex-2.0.2-21.2 update
  6th, January, 2005

The updated tetex package fixes a buffer overflow which allows
attackers to cause the internal xpdf library used by applications in tetex
to crash, and possibly to execute arbitrary code. The Common Vulnerabilities
and Exposures projects (cve.mitre.org) has assigned the name CAN-2004-1125
to this issue.

http://www.linuxsecurity.com/content/view/117787

 
  Fedora: gpdf-2.8.0-8.2 update
  6th, January, 2005

Applied patch to fix CAN-2004-1125 (bug #144210)

http://www.linuxsecurity.com/content/view/117788

 
  Fedora: gpdf-2.8.0-4.2.fc2 update
  6th, January, 2005

Applied patch to fix CAN-2004-1125 (bug #144210)

http://www.linuxsecurity.com/content/view/117789

 
  Fedora: hotplug-2004_04_01-8.1 update
  6th, January, 2005

This adds a fix to properly set the path for devices on USB
removal.

http://www.linuxsecurity.com/content/view/117792

 
   Gentoo
  Gentoo: LinPopUp Buffer overflow in message
reply
  4th, January, 2005

LinPopUp contains a buffer overflow potentially allowing execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/117760

 
  Gentoo: a2ps Insecure temporary files
handling
  4th, January, 2005

The fixps and psmandup scripts in the a2ps package are vulnerable
to symlink attacks, potentially allowing a local user to overwrite arbitrary
files.

http://www.linuxsecurity.com/content/view/117761

 
  Gentoo: Mozilla, Firefox, Thunderbird
Various vulnerabilities
  5th, January, 2005

Various vulnerabilities were found and fixed in Mozilla-based
products, ranging from a potential buffer overflow and temporary files
disclosure to anti-spoofing issues.

http://www.linuxsecurity.com/content/view/117768

 
  Gentoo: shoutcast Remote code execution
  5th, January, 2005

Shoutcast Server contains a possible buffer overflow that could
lead to the execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117771

 
  Gentoo: mit-kbr5 Heap overflow in libkadm5srv
  5th, January, 2005

The MIT Kerberos 5 administration library (libkadm5srv) contains
a heap overflow that could lead to execution of arbitrary code.

http://www.linuxsecurity.com/content/view/117778

 
  Gentoo: tiff New overflows in image decoding
  5th, January, 2005

An integer overflow has been found in the TIFF library image
decoding routines and the tiffdump utility, potentially allowing arbitrary
code execution.

http://www.linuxsecurity.com/content/view/117779

 
  Gentoo: xine-lib Multiple overflows
  6th, January, 2005

xine-lib contains multiple overflows potentially allowing execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/117781

 
  Gentoo: phpGroupWare Various vulnerabilities
  6th, January, 2005

Multiple vulnerabilities have been discovered in phpGroupWare
that could lead to information disclosure or remote compromise.

http://www.linuxsecurity.com/content/view/117798

 
  Gentoo: xzgv Multiple overflows
  6th, January, 2005

xzgv contains multiple overflows that may lead to the execution
of arbitrary code.

http://www.linuxsecurity.com/content/view/117806

 
  Gentoo: vilistextum Buffer overflow vulnerability
  6th, January, 2005

Vilistextum is vulnerable to a buffer overflow that allows an
attacker to execute arbitrary code through the use of a malicious webpage.

http://www.linuxsecurity.com/content/view/117807

 
   Mandrake
  Mandrake: libtiff multiple vulnerabilities
fix
  6th, January, 2005

Several vulnerabilities have been discovered in the libtiff
package.

http://www.linuxsecurity.com/content/view/117801

 
  Mandrake: wcGTK2 vulnerabilities fix
  6th, January, 2005

Several vulnerabilities have been discovered in the libtiff
package; wxGTK2 uses a libtiff code tree, so it may have the same vulnerabilities.

http://www.linuxsecurity.com/content/view/117802

 
  Mandrake: vim modeline vulnerabilities
fix
  6th, January, 2005

Several “modeline”-related vulnerabilities were discovered in
Vim by Ciaran McCreesh. The updated packages have been patched with Bram
Moolenaar’s vim 6.3.045 patch which fixes the reported vulnerabilities
and adds more conservative “modeline” rights.

http://www.linuxsecurity.com/content/view/117803

 
  Mandrake: nasm buffer overflow vulnerability
fix
  6th, January, 2005

A buffer overflow in nasm was discovered by Jonathan Rockway.
This vulnerability could lead to the execution of arbitrary code when
compiling a malicious assembler source file.

http://www.linuxsecurity.com/content/view/117804

 
  Mandrake: libtiff multiple vulnerabilities
fix
  6th, January, 2005

Several vulnerabilities have been discovered in the libtiff
package.

http://www.linuxsecurity.com/content/view/117805

 
   Red
Hat
  Red Hat: mc security vulnerabilities
fix
  5th, January, 2005

An updated mc package that resolves several shell escape security
issues is now available.

http://www.linuxsecurity.com/content/view/117772

 
  Red Hat: fam security issue fix
  5th, January, 2005

Updated fam packages that fix an information disclosure bug
are now available.

http://www.linuxsecurity.com/content/view/117773

 
  Red Hat: VIM security vulnerability fix
  5th, January, 2005

Updated vim packages that fix a modeline vulnerability are now
available.

http://www.linuxsecurity.com/content/view/117774

 
  Red Hat: samba security issue fix
  5th, January, 2005

Updated samba packages that fix an integer overflow vulnerability
are now available for Red Hat Enterprise Linux 2.1.

http://www.linuxsecurity.com/content/view/117775