Linux Advisory Watch – November 5, 2004


Author: Preston St. Pierre

This week, advisories were released for rsync, squid, subversion, gaim, apache,
postgresql, mpg123, abiword, iptables, xpdf, libxml, lvm10, hdcp, ppp, Apache,
speedtouch, proxytunnel, shadow, mysql, netalk, mod_ssl, and libtiff. The distributors
include Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, Slackware, and

NFS Security

NFS is a very widely used file sharing protocol. It allows servers running
nfsd(8) and mountd(8) to “export” entire filesystems to other machines with
nfs filesystem support built-in to their kernels (or some other client support
if they are non Linux machines). mountd(8) keeps track of mounted filesystems
in /etc/mtab, and can display them with showmount(8).

Many sites use NFS to serve home directories to users, so that
no matter what machine in the cluster they login to, they will have
all their home files.

There is some small amount of “security” allowed in exporting
filesystems. You can make your nfsd map the remote root user (uid=0)
to the nobody user, denying them total access to the files exported.
However, since individual users have access to their own (or at
least the same uid) files, the remote superuser can login or su to
their account and have total access to their files. This is only a
small hindrance to an attacker that has access to mount your
remote filesystems.

If you must use NFS, make sure you export to only those machines
that you really need to export only. Never export your entire
root directory, export only directories you need to export and
export read-only wherever possible.

Filter TCP port 111, UDP port 111 (portmapper), TCP port 2049,
and UDP port 2049 (nfsd) on your firewall or gateway to prevent
external access.

The NFS HOWTO also discusses some of the security issues with NFS, and it
is available at:

Excerpt from the LinuxSecurity Administrator’s Guide:
Written by: Dave Wreski (
Feature Extras:

deploying Osiris
– Osiris is a centralized file-integrity program
that uses a client/server architecture to check for changes on a system. A central
server maintains the file-integrity database and configuration for a client
and at a specified time, sends the configuration file over to the client, runs
a scan and sends the results back to the server to compare any changes. Those
changes are then sent via email, if configured, to a system admin or group of
people. The communication is all done over an encrypted communication channel.

-Network security is continuing to be a big problem
for companies and home users. The problem can be resolved with an accurate security
analysis. In this article I show how to approach security using aide and chkrootkit.

Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code

– Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software (Addison-Wesley,
2002). More recently, he has co-written with Greg Hoglund a companion volume,
Exploiting Software, which details software security from the vantage point
of the other side, the attacker. He has graciously agreed to share some of his
insights with all of us at

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
] – [ Linux Security

Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[

Distribution: Conectiva
  11/1/2004 rsync
    path sanitation vulnerabilities fix

rsync before 2.6.1 does not properly sanitize paths[2] when running a read and write daemon without using chroot. This could allow a remote attacker to write files outside of the rsync directory, depending on rsync’s daemon privileges.

  11/3/2004 squid
    denial of service vulnerability fix

This announcement fixes a denial of service vulnerability[2] in squid caused by a malformed NTLMSSP packet. This causes a negative value to be passed to memcpy on servers with NTLM authentication enabled, making squid abort and causing a denial of service condition.

  11/4/2004 subversion
    vulnerabilities fix

All subversions versions prior to and including 1.0.7 are vulnerable to a bug in mod_authz_svn that could allow sensitive metadata of protected areas to be leaked to unauthorized users, characterizing an information leak vulnerability.

  11/4/2004 gaim
    vulnerabilities fix

This announcement fixes several denial of service and buffer overflow vulnerabilities that were encountered in Gaim.

  11/4/2004 apache
    mod_ssl vulnerability fix

An issue[2] in the mod_ssl module was reported[3] by Hartmut Keil. When a particular location is configured to require a specific set of cipher suites through the “SSLCipherSuite” directive in its directory or location context, a client could be able to access that location using any cipher suite allowed by the virtual host configuration.

Distribution: Debian
  10/29/2004 squid
    several vulnerabilities fix

Several security vulnerabilities have been discovered in Squid, the internet object cache, the popular WWW proxy cache.

  10/29/2004 postgresql
    symlink vulnerability fix

Trustix Security Engineers identified insecure temporary file creation in a script included in the postgresql suite, an object-relational SQL database. This could lead an attacker to trick a user to overwrite arbitrary files he has write access to.

  11/1/2004 mpg123
    arbitrary code execution fix

Carlos Barros has discovered a buffer overflow in the HTTP authentication routine of mpg123, a popular (but non-free) MPEG layer 1/2/3 audio player.

  11/1/2004 abiword
    arbitrary code execution fix

A buffer overflow vulnerability has been disovered in the wv library, used for converting and previewing word documents. On exploition an attacker could execute arbitrary code with the privileges of the user running the vulnerable application.

  11/1/2004 iptables
    modprobe failure fix

Faheem Mitha noticed that the iptables command, an administration tool for IPv4 packet filtering and NAT, did not always load the required modules on it own as it was supposed to.

  11/2/2004 xpdf
    arbitrary code execution fix

Chris Evans discovered several integer overflows in xpdf, a viewer for PDF files, which can be exploited remotely by a specially crafted PDF document and lead to the execution of arbitrary code.

  11/2/2004 libxml
    arbitrary code execution fix

“infamous41md” discovered several buffer overflows in libxml and libxml2, the XML C parser and toolkits for GNOME. Missing boundary checks could cause several buffers to be overflown, which may cause the client to execute arbitrary code.

  11/3/2004 lvm10
    insecure temporary directory fix

Trustix developers discovered insecure temporary file creation in a supplemental script in the lvm10 package that didn’t check for existing temporary directories, allowing local users to overwrite files via a symlink attack.

  11/4/2004 dhcp
    format string vulnerability fix

“infamous41md” noticed that the log functions in dhcp 2.x, which is still distributed in the stable Debian release, contained pass parameters to function that use format strings. One use seems to be exploitable in connection with a malicious DNS server.

Distribution: Fedora
  10/29/2004 libxslt-1.1.12-2 update
    format string vulnerability fix

This update fixes bug #137499 where some DocBook transformations broke following the latest security release of libxml2-2.6.15-2 . It brings back libxslt in sync with the installed version of libxml2.

  11/4/2004 system-config-users-1.2.26-0.fc2.1 update
    format string vulnerability fix

system-config-users is a graphical utility for administrating users and groups. It depends on the libuser library.

  11/4/2004 wget-1.9.1-16.fc2 update
    format string vulnerability fix

This new release of wget adds support for large files >2Gb, p.e. DVD ISOs.

Distribution: Gentoo: Archive:
  10/29/2004 Archive::Zip Virus detection evasion
    format string vulnerability fix

Email virus scanning software relying on Archive::Zip can be fooled into thinking a ZIP attachment is empty while it contains a virus, allowing detection evasion.

Distribution: Gentoo
  11/1/2004 ppp
    Remote denial of service vulnerability

pppd contains a vulnerability that may allow an attacker to crash the server.

  11/1/2004 Cherokee
    Format string vulnerability

Cherokee contains a format string vulnerability that could lead to denial of service or the execution of arbitary code.

  11/2/2004 Apache
    1.3 Buffer overflow vulnerability in mod_include

A buffer overflow vulnerability exists in mod_include which could possibly allow a local attacker to gain escalated privileges.

  11/2/2004 Speedtouch
    USB driver Privilege escalation vulnerability

A vulnerability in the Speedtouch USB driver can be exploited to allow local users to execute arbitrary code with escalated privileges.

  11/2/2004 libxml2
    Remotely exploitable buffer overflow

libxml2 contains multiple buffer overflows which could lead to the execution of arbitrary code.

  11/2/2004 MIME-tools Virus detection evasion
    Remotely exploitable buffer overflow

MIME-tools doesn’t handle empty MIME boundaries correctly. This may prevent some virus-scanning programs which use MIME-tools from detecting certain viruses.

  11/2/2004 ppp
    No denial of service vulnerability

pppd contains a bug that allows an attacker to crash his own connection, but it cannot be used to deny service to other users.

  11/3/2004 Proxytunnel
    Format string vulnerability

Proxytunnel is vulnerable to a format string vulnerability, potentially allowing a remote server to execute arbitrary code with the rights of the Proxytunnel process.

  11/3/2004 GD
    Integer overflow

The PNG image decoding routines in the GD library contain an integer overflow that may allow execution of arbitrary code with the rights of the program decoding a malicious PNG image.

  11/4/2004 shadow
    Unauthorized modification of account information

A flaw in the chfn and chsh utilities might allow modification of account properties by unauthorized users.

Distribution: Mandrake
  11/2/2004 gaim
    vulnerability fix

A vulnerability in the MSN protocol handler in the gaim instant messenger application was discovered. When receiving unexpected sequences of MSNSLP messages, it is possible that an attacker could trigger an internal buffer overflow which could lead to a crash or even code execution as the user running gaim.

  11/2/2004 perl-Archive-Zip vulnerability fix
    vulnerability fix

Recently, it was noticed that several antivirus programs miss viruses that are contained in ZIP archives with manipulated directory data. The global archive directory of these ZIP file have been manipulated to indicate zero file sizes.

  11/2/2004 MySQL
    multiple vulnerabilities fix

Jeroen van Wolffelaar discovered an insecure temporary file vulnerability in the mysqlhotcopy script when using the scp method (CAN-2004-0457).

  11/2/2004 mpg123
    vulnerability fix

Carlos Barros discovered two buffer overflow vulnerabilities in mpg123; the first in the getauthfromURL() function and the second in the http_open() function. These vulnerabilities could be exploited to possibly execute arbitrary code with the privileges of the user running mpg123.

  11/2/2004 netatalk
    temporary file vulnerability fix

The script, part of the netatalk package, creates files in /tmp with predicatable names which could allow a local attacker to use symbolic links to point to a valid file on the filesystem which could lead to the overwriting of arbitrary files if is executed by someone with enough privilege.

  11/2/2004 perl-MIME-tools vulnerability fix
    temporary file vulnerability fix

There’s a bug in MIME-tools, where it mis-parses things like boundary=””. Some viruses use an empty boundary, which may allow unapproved parts through MIMEDefang.

  11/2/2004 mod_ssl
    information disclosure vulnerability fix

A vulnerability in mod_ssl was discovered by Hartmut Keil. After a renegotiation, mod_ssl would fail to ensure that the requested cipher suite is actually negotiated. The provided packages have been patched to prevent this problem.

  11/4/2004 xorg-x11 libXpm overflow vulnerabilities fix
    information disclosure vulnerability fix

Chris Evans found several stack and integer overflows in the libXpm code of X.Org/XFree86

  11/4/2004 Mandrakelinux
    10.1 various issues fix

Various packages are now available that fix certain bugs in KDE-related packages in Mandrakelinux 10.1 Official edition

  11/4/2004 iptables
    vulnerability fix

Faheem Mitha discovered that the iptables tool would not always load the required modules on its own as it should have, which could in turn lead to firewall rules not being loaded on system startup in some cases.

  11/5/2004 shadow
    security bypass vulnerability fix

A vulnerability in the shadow suite was discovered by Martin Schulze that can be exploited by local users to bypass certain security restrictions due to an input validation error in the passwd_check() function. This function is used by the chfn and chsh tools.

  11/5/2004 libxml
    libxml2 multiple vulnerabilities fix

Multiple buffer overflows were reported in the libxml XML parsing library. These vulnerabilities may allow remote attackers to execute arbitray code via a long FTP URL that is not properly handled by the xmlNanoFTPScanURL() function, a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy() function, and other overflows in the code that resolves names via DNS.

Distribution: Openwall
  11/3/2004 glibc
    2.3.x update

Basically, the system has been updated to glibc 2.3.x (2.3.2 plus the patches found in latest Red Hat Linux 9 glibc update, minus NPTL, and plus all of our modifications indeed).

Distribution: Slackware
  11/1/2004 apache+mod_ssl security issue fix
    2.3.x update

New apache packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix a security issue. Apache has been upgraded to version 1.3.33 which fixes a buffer overflow which may allow local users to execute arbitrary code as the apache user.

  11/1/2004 libtiff
    security issue fix

New libtiff packages are available for Slackware 8.1, 9.0, 9.1, 10.1, and -current to fix security issues that could lead to application crashes, or possibly execution of arbitrary code.

Distribution: Trustix
  11/1/2004 libxml2, postgresql multiple security issues
    security issue fix

There is a buffer overflow when parsing a URL with ftp information in it. A loop incorrectly copies data from a user supplied buffer into a finite stack buffer with no regard for the length being copied.

  11/1/2004 libxml2, postgresql multiple security issues
    security issue fix

There is a buffer overflow when parsing a URL with ftp information in it. A loop incorrectly copies data from a user supplied buffer into a finite stack buffer with no regard for the length being copied.