November 12, 2004

Linux Advisory Watch - November 12, 2004

Author: Preston St. Pierre

This week, advisories were released for xpdf, libtiff3, sasl, shadow, ruby,
freeam, gzip, libgd1, gnats, libgd2, Gallery, ImageMagick, zgv, mtink, Apache,
pavuk, samba, libxml, webmin, and speedtouch. The distributors include Conectiva,
Debian, Fedora, Gentoo, Mandrake, and Trustix.

Identify Gateway Machines

Special attention should be paid to gateway or firewall systems,
as they usually control access to the services running on the
entire network. Such gateways should be identified, its function
within the network shouild be assessed and owners or administrators
should be identified. These hosts, often referred to as
``bastion hosts'' are a prime target for an intruder. They should
be some of the most fortified machines on the network.

Be sure to regularly review the current access policies and security
of the system itself.

These ``systems'' should absolutely only be running the services
necessary to perform it's operation. Your firewall should not be your
mail server, web server, contain user accounts, etc. Some of the
things you should check for, and absolutely fortify on these hosts
include:

  • Turn off access to all but necessary services.
  • Depending on the type of firewall, disable IP Forwarding, preventing the
    system from routing packets unless absolutely instructed to do so.
  • Update machine by installing vendor patches immediately.
  • Restrict network management utilities, such as SNMP, ``public'' communities,
    and write access.
  • Be sure firewall policy includes mechanisms for preventing common attacks
    such as IP Spoofing, Fragmentation attacks, Denial of Service, etc.
  • Monitor status very closely. You should develop a reference point in which
    the machine normally operates to be able to detect variations which may indicate
    an intrusion.
  • Develop a comprehensive firewall model. Firewalls should be treated as
    a security system, not just a program that runs on a machine and has an access
    control list. Firewall administration should be centrally controlled and evaluation
    of firewall policies should be done prior to actual firewall deployment.

Excerpt from the LinuxSecurity Administrator's Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@guardiandigital.com)

 
Distribution: Conectiva
  11/8/2004 xpdf
    vulnerabilities fix

Chris Evans discovered several integer overflows vulnerabilities in the xpdf code which can be exploited remotely by a specially crafted PDF document and may lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5098.html

 
  11/8/2004 libtiff3
    vulnerabilities fix

This announcement fixes several integer overflow vulnerabilities that were encountered in libtiff.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5099.html

 
  11/11/2004 sasl
    buffer overflow vulnerability fix

A vulnerability[2] has been discovered in the Cyrus implementation of the SASL library. The library honors the environment variable SASL_PATH blindly, which allows a local attacker to link against a malicious library to run arbitrary code with the privileges of a setuid or setgid application.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5150.html

 
 
Distribution: Debian
  11/5/2004 shadow
    unintended behaviour fix

A vulnerability has been discovered in the shadow suite which provides programs like chfn and chsh. It is possible for a user, who is logged in but has an expired password to alter his account information with chfn or chsh without having to change the password. The problem was originally thought to be more severe.

http://www.linuxsecurity.com/advisories/debian_advisory-5086.html

 
  11/8/2004 ruby
    denial of service fix

The upstream developers of Ruby have corrected a problem in the CGI module for this language. Specially crafted requests could cause an infinite loop and thus cause the program to eat up cpu cycles.

http://www.linuxsecurity.com/advisories/debian_advisory-5088.html

 
  11/8/2004 freeam
    arbitrary code execution fix

Luigi Auriemma discovered a buffer overflow condition in the playlist module of freeamp which could lead to arbitrary code execution. Recent versions of freeamp were renamed into zinf.

http://www.linuxsecurity.com/advisories/debian_advisory-5089.html

 
  11/8/2004 gzip
    insecure temporary files fix

Trustix developers discovered insecure temporary file creation in supplemental scripts in the gzip package which may allow local users to overwrite files via a symlink attack.

http://www.linuxsecurity.com/advisories/debian_advisory-5101.html

 
  11/9/2004 libgd1
    arbitrary code execution fix

"infamous41md" discovered several integer overflows in the PNG image decoding routines of the GD graphics library. This could lead to the execution of arbitrary code on the victim's machine.

http://www.linuxsecurity.com/advisories/debian_advisory-5133.html

 
  11/9/2004 gnats
    arbitrary code execution fix

Khan Shirani discovered a format string vulnerability in gnats, the GNU problem report management system. This problem may be exploited to execute arbitrary code.

http://www.linuxsecurity.com/advisories/debian_advisory-5134.html

 
  11/9/2004 libgd2
    arbitrary code execution fix

"infamous41md" discovered several integer overflows in the PNG image decoding routines of the GD graphics library. This could lead to the execution of arbitrary code on the victim's machine.

http://www.linuxsecurity.com/advisories/debian_advisory-5135.html

 
 
Distribution: Fedora
  11/8/2004 udev-039-10.FC3.1 update
    arbitrary code execution fix

Due to debugging code left accidently in the FC3 udev package, SIGCHLD signals are blocked in udev, which prevents getting the proper exit status in udev.rules. This means no cdrom symlinks are created and pam_console does not apply desktop user ownerships to any cdrom devices.

http://www.linuxsecurity.com/advisories/fedora_advisory-5102.html

 
  11/8/2004 initscripts-7.93.5-1 update
    arbitrary code execution fix

This update fixes some minor bugs discovered after the final freeze date.

http://www.linuxsecurity.com/advisories/fedora_advisory-5103.html

 
  11/8/2004 hotplug-2004_04_01-8 update
    arbitrary code execution fix

This update fixes it so that the sg module gets loaded by hotplug for non-disk, non-optical devices.

http://www.linuxsecurity.com/advisories/fedora_advisory-5104.html

 
  11/8/2004 ipsec-tools-0.3.3-2 update
    arbitrary code execution fix

This update fixes the use of 'setkey' when reading from stdin (the '-c' argument).

http://www.linuxsecurity.com/advisories/fedora_advisory-5105.html

 
  11/8/2004 kde-i18n-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5106.html

 
  11/8/2004 kdeaddons-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5107.html

 
  11/8/2004 kdeadmin-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5108.html

 
  11/8/2004 kdeartwork-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5109.html

 
  11/8/2004 kdebase-3.3.1-4.1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5110.html

 
  11/8/2004 kdebindings-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5111.html

 
  11/8/2004 kdeedu-3.3.1-2.1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5112.html

 
  11/8/2004 kdegames-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5113.html

 
  11/8/2004 kdegraphics-3.3.1-2.1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5114.html

 
  11/8/2004 kdelibs-3.3.1-2.2 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5115.html

 
  11/8/2004 kdemultimedia-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5116.html

 
  11/8/2004 kdenetwork-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5117.html

 
  11/8/2004 kdepim-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5118.html

 
  11/8/2004 kdesdk-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5119.html

 
  11/8/2004 kdetoys-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5120.html

 
  11/8/2004 kdeutils-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5121.html

 
  11/8/2004 kdevelop-3.1.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5122.html

 
  11/8/2004 kdewebdev-3.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5123.html

 
  11/8/2004 arts-1.3.1-1 update
    arbitrary code execution fix

KDE 3.3.1 update

http://www.linuxsecurity.com/advisories/fedora_advisory-5124.html

 
  11/8/2004 gpdf-2.8.0-8 update
    arbitrary code execution fix

GPdf includes the gpdf application, a Bonobo control for PDF display which can be embedded in Nautilus, and a Nautilus property page for PDF files.

http://www.linuxsecurity.com/advisories/fedora_advisory-5125.html

 
  11/8/2004 wireless-tools-27-0.pre25.3 update
    arbitrary code execution fix

Fixes a memory leak during wireless scans that affects NetworkManager.

http://www.linuxsecurity.com/advisories/fedora_advisory-5126.html

 
  11/8/2004 redhat-artwork-0.96-2 update
    arbitrary code execution fix

This update fixes issues when using redhat-artwork on 64-bit platforms, having both 32 and 64 bit versions installed.

http://www.linuxsecurity.com/advisories/fedora_advisory-5127.html

 
  11/8/2004 gnome-media-2.8.0-3.FC3.1 update
    arbitrary code execution fix

GNOME (GNU Network Object Model Environment) is a user-friendly set of GUI applications and desktop tools to be used in conjunction with a window manager for the X Window System. The gnome-media package will install media features like the GNOME CD player.

http://www.linuxsecurity.com/advisories/fedora_advisory-5128.html

 
  11/8/2004 zip-2.3-26.2 update
    arbitrary code execution fix

A buffer overflow has been found in zip which will lead to a buffer overflow when a user try to create a zip archive which contains very long filenames.

http://www.linuxsecurity.com/advisories/fedora_advisory-5131.html

 
  11/8/2004 zip-2.3-26.3 update
    arbitrary code execution fix

A buffer overflow has been found in zip which will lead to a buffer overflow when a user try to create a zip archive which contains very long filenames.

http://www.linuxsecurity.com/advisories/fedora_advisory-5132.html

 
  11/9/2004 gnumeric-1.2.13-8.fc3 update
    arbitrary code execution fix

64bit excel {im|ex}port backport fixes

http://www.linuxsecurity.com/advisories/fedora_advisory-5136.html

 
  11/10/2004 system-config-users-1.2.27-0.fc2.1 update
    arbitrary code execution fix

system-config-users is a graphical utility for administrating users and groups. It depends on the libuser library.

http://www.linuxsecurity.com/advisories/fedora_advisory-5140.html

 
  11/10/2004 openoffice.org-1.1.2-11.5.fc3 update
    arbitrary code execution fix

The fixes in this update are detailed in the changelog entry below.

http://www.linuxsecurity.com/advisories/fedora_advisory-5141.html

 
  11/10/2004 openoffice.org-1.1.2-11.4.fc2 update
    arbitrary code execution fix

The fixes in this update are detailed in the changelog entry below.

http://www.linuxsecurity.com/advisories/fedora_advisory-5142.html

 
  11/10/2004 jwhois-3.2.2-6.FC3.1 update
    arbitrary code execution fix

This update fixes a crash when a processing a query requires more than one redirection.

http://www.linuxsecurity.com/advisories/fedora_advisory-5143.html

 
  11/11/2004 ruby-1.8.1-6.FC2.0 update
    arbitrary code execution fix

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.

http://www.linuxsecurity.com/advisories/fedora_advisory-5144.html

 
  11/11/2004 ruby-1.8.1-7.FC3.1 update
    arbitrary code execution fix

Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks (as in Perl). It is simple, straight-forward, and extensible.

http://www.linuxsecurity.com/advisories/fedora_advisory-5145.html

 
  11/11/2004 glibc-2.3.3-27.1 update
    arbitrary code execution fix

The glibc package contains standard libraries which are used by multiple programs on the system. In order to save disk space and memory, as well as to make upgrading easier, common system code is kept in one place and shared between programs.

http://www.linuxsecurity.com/advisories/fedora_advisory-5153.html

 
  11/11/2004 system-config-users-1.2.27-0.fc3.1 update
    arbitrary code execution fix

system-config-users is a graphical utility for administrating users and groups. It depends on the libuser library.

http://www.linuxsecurity.com/advisories/fedora_advisory-5154.html

 
  11/11/2004 libxml2-2.6.16-2 update
    arbitrary code execution fix

This update to libxml2 fixes a variety of bugs found in 2.6.15, notably #137968.

http://www.linuxsecurity.com/advisories/fedora_advisory-5155.html

 
  11/11/2004 libxml2-2.6.16-3 update
    arbitrary code execution fix

This update to libxml2 fixes a variety of bugs found in 2.6.15, notably #137968.

http://www.linuxsecurity.com/advisories/fedora_advisory-5156.html

 
  11/11/2004 gd-2.0.21-5.20.1 update
    arbitrary code execution fix

Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image.

http://www.linuxsecurity.com/advisories/fedora_advisory-5157.html

 
  11/11/2004 gd-2.0.28-1.30.1 update
    arbitrary code execution fix

Several buffer overflows were reported in various memory allocation calls. An attacker could create a carefully crafted image file in such a way that it could cause ImageMagick to execute arbitrary code when processing the image.

http://www.linuxsecurity.com/advisories/fedora_advisory-5158.html

 
  11/11/2004 unarj-2.63a-7 update
    arbitrary code execution fix

A buffer overflow bug has been discovered in unarj when handling long file names contained in an archive. An attacker could create an archive with a specially crafted path which could cause unarj to crash or execute arbitrary instructions.

http://www.linuxsecurity.com/advisories/fedora_advisory-5159.html

 
 
Distribution: Gentoo
  11/6/2004 GPdf, KPDF, KOffice Vulnerabilities in included xpdf
    arbitrary code execution fix

The original fix introduced new vulnerabilities on 64-bit platforms. New fixed packages are available. Updated sections follow.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5090.html

 
  11/6/2004 Xpdf, CUPS Multiple integer overflows
    arbitrary code execution fix

The original fix introduced new vulnerabilities on 64-bit platforms. New fixed packages are available. Updated sections follow.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5091.html

 
  11/6/2004 Gallery
    Cross-site scripting vulnerability

Gallery is vulnerable to cross-site scripting attacks.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5092.html

 
  11/6/2004 ImageMagick
    EXIF buffer overflow

ImageMagick contains an error in boundary checks when handling EXIF information, which could lead to arbitrary code execution.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5093.html

 
  11/7/2004 zgv
    Multiple buffer overflows

zgv contains multiple buffer overflows that can potentially lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5094.html

 
  11/7/2004 Portage, Gentoolkit Temporary file vulnerabilities
    Multiple buffer overflows

dispatch-conf (included in Portage) and qpkg (included in Gentoolkit) are vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the script.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5095.html

 
  11/7/2004 Kaffeine, gxine Remotely exploitable buffer overflow
    Multiple buffer overflows

Kaffeine and gxine both contain a buffer overflow that can be exploited when accessing content from a malicious HTTP server with specially crafted headers.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5096.html

 
  11/8/2004 OpenSSL, Groff Insecure tempfile handling
    Multiple buffer overflows

groffer, included in the Groff package, and the der_chop script, included in the OpenSSL package, are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5097.html

 
  11/9/2004 zip
    Path name buffer overflow

zip contains a buffer overflow when creating a ZIP archive of files with very long path names. This could lead to the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5137.html

 
  11/9/2004 mtink
    Insecure tempfile handling

mtink is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5138.html

 
  11/10/2004 Apache
    2.0 Denial of Service by memory consumption

A flaw in Apache 2.0 could allow a remote attacker to cause a Denial of Service.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5139.html

 
  11/11/2004 pavuk
    Multiple buffer overflows

Pavuk contains multiple buffer overflows that can allow a remote attacker to run arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5151.html

 
  11/11/2004 ez-ipupdate Format string vulnerability
    Multiple buffer overflows

ez-ipupdate contains a format string vulnerability that could lead to execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5152.html

 
  11/11/2004 samba
    Remote Denial of Service

An input validation flaw in Samba may allow a remote attacker to cause a Denial of Service by excessive consumption of CPU cycles.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5160.html

 
  11/11/2004 Davfs2, lvm-user Insecure tempfile handling
    Remote Denial of Service

Davfs2 and the lvmcreate_initrd script (included in the lvm-user package) are both vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running them.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5161.html

 
 
Distribution: Mandrake
  11/5/2004 shadow
    security bypass vulnerability fix

A vulnerability in the shadow suite was discovered by Martin Schulze that can be exploited by local users to bypass certain security restrictions due to an input validation error in the passwd_check() function. This function is used by the chfn and chsh tools.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5084.html

 
  11/5/2004 libxml
    libxml2 multiple vulnerabilities fix

Multiple buffer overflows were reported in the libxml XML parsing library. These vulnerabilities may allow remote attackers to execute arbitray code via a long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function, a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy() function, and other overflows in the code that resolves names via DNS.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5085.html

 
  11/8/2004 ruby
    remote DoS vulnerability fix

Andres Salomon noticed a problem with the CGI session management in Ruby. The CGI:Session's FileStore implementations store session information in an insecure manner by just creating files and ignoring permission issues (CAN-2004-0755).

http://www.linuxsecurity.com/advisories/mandrake_advisory-5129.html

 
  11/10/2004 webmin
    problem with some modules fix

There was a problem with two modules in the webmin package that did not work correctly: the cron and backup modules. The updates packages fix the problem so the modules will again work.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5146.html

 
  11/11/2004 ez-ipupdate format string vulnerability fix
    problem with some modules fix

Ulf Harnhammar discovered a format string vulnerability in ez-ipupdate, a client for many dynamic DNS services. The updated packages are patched to protect against this problem.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5147.html

 
  11/11/2004 speedtouch
    format string vulnerability fix

The Speedtouch USB driver contains a number of format string vulnerabilities due to improperly made syslog() system calls. These vulnerabilities can be abused by a local user to potentially allow the execution of arbitray code with elevated privileges.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5148.html

 
  11/11/2004 samba
    DoS vulnerability fix

Karol Wiesek discovered a bug in the input validation routines in Samba 3.x used to match filename strings containing wildcard characters. This bug may allow a user to consume more than normal amounts of CPU cycles which would impact the performance and response of the server.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5149.html

 
 
Distribution: Trustix
  11/5/2004 apache
    buffer overflow

Potential buffer overflow with escaped characters in SSI tag string. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0940 to this issue.

http://www.linuxsecurity.com/advisories/trustix_advisory-5087.html

 
  11/8/2004 php, postfix, kernel, sqlgrey, sqlite package fixes
    buffer overflow

PHP: Wrong "extension_dir" leads to problems loading modules. Postfix: Fixed a missing define that prevented dynamic loading of modules.

http://www.linuxsecurity.com/advisories/trustix_advisory-5100.html

 
Click Here!