Linux Advisory Watch – October 29, 2004

19

Author: Benjamin D. Thomas

This week, advisories were released for mozilla, zlib, kernel, glib2, MySQL,
Gaim, MIT, Netatalk, socat, mpg123, rssh, xpdf, gpdf, cups, kdegraphics, squid,
and libtiff. The distributors include Conectiva, Fedora, Gentoo, Mandrake, Red
Hat, Slackware, and SuSE.

Developing A Security Policy

Create a simple, generic policy for your system that your users can
readily understand and follow. It should protect the data you’re
safeguarding, as well as the privacy of the users. Some things to
consider adding are who has access to the system (Can my friend use
my account?), who’s allowed to install software on the system, who
owns what data, disaster recovery, and appropriate use of the system.

A generally accepted security policy starts with the phrase: “That which
is not expressly permitted is prohibited

This means that unless you grant access to a service for a user,
that user shouldn’t be using that service until you do grant access.
Make sure the policies work on your regular user account, Saying,
“Ah, I can’t figure this permissions problem out, I’ll just do it
as root” can lead to security holes that are very obvious, and even
ones that haven’t been exploited yet.

Additionally, there are several questions you will need to answer
to successfully develop a security policy:

  • What level of security do your users expect?
  • How much is there to protect, and what is it worth?
  • Can you afford the down-time of an intrusion?
  • Should there be different levels of security for different groups?
  • Do you trust your internal users?
  • Have you found the balance between acceptable risk and secure?

You should develop a plan on who to contact when there is a
security problem that needs attention.

There are quite a few documents available on developing a Site
Security Policy. You can start with the SANS Security Policy
Project.

http://www.sans.org/resources/policies/
 

Excerpt from the LinuxSecurity Administrator’s Guide:
http://www.linuxsecurity.com/docs/SecurityAdminGuide/SecurityAdminGuide.html
Written by: Dave Wreski (dave@guardiandigital.com)


LinuxSecurity.com
Feature Extras:

Mass
deploying Osiris
– Osiris is a centralized file-integrity program
that uses a client/server architecture to check for changes on a system. A central
server maintains the file-integrity database and configuration for a client
and at a specified time, sends the configuration file over to the client, runs
a scan and sends the results back to the server to compare any changes. Those
changes are then sent via email, if configured, to a system admin or group of
people. The communication is all done over an encrypted communication channel.

AIDE
and CHKROOTKIT
-Network security is continuing to be a big problem
for companies and home users. The problem can be resolved with an accurate security
analysis. In this article I show how to approach security using aide and chkrootkit.

An
Interview with Gary McGraw, Co-author of Exploiting Software: How to Break Code

– Gary McGraw is perhaps best known for his groundbreaking work on securing
software, having co-authored the classic Building Secure Software (Addison-Wesley,
2002). More recently, he has co-written with Greg Hoglund a companion volume,
Exploiting Software, which details software security from the vantage point
of the other side, the attacker. He has graciously agreed to share some of his
insights with all of us at LinuxSecurity.com.

[ Linux
Advisory Watch
] – [ Linux
Security Week
] – [ PacketStorm
Archive
] – [ Linux Security
Documentation
]


Linux Advisory Watch is
a comprehensive newsletter that outlines the security vulnerabilities that have
been announced throughout the week. It includes pointers to updated packages
and descriptions of each vulnerability.[
Subscribe

 
Distribution: Conectiva
  10/22/2004 mozilla
    upstream fix

This announcement updates mozilla packages for Conectiva Linux 9 and 10 to mozilla version 1.7.3. This updates fixes lots of vulnerabilities.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5004.html

 
  10/25/2004 zlib
    denial of service vulnerabilities fix

Due to a Debian bug report[3], a denial of service vulnerability[4] was discovered in the zlib compression library versions 1.2.x, in the inflate() and inflateBack() functions.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5020.html

 
  10/26/2004 kernel
    vulnerabilities fix

This announcement fixes a vulnerability in the Linux kernel which could allow a local attacker to obtain sensitive information due to an issue when handling 64-bit file offset pointers.

http://www.linuxsecurity.com/advisories/conectiva_advisory-5024.html

 
  10/27/2004 foomatic-filters vulnerability
    vulnerabilities fix

The foomatic-rip filter in foomatic-filters contains a vulnerability[2][3] caused by insufficient checking of command-line parameters and environment variables which may allow arbitrary remote command execution on the print server with the permissions of the spooler user (“lp”).

http://www.linuxsecurity.com/advisories/conectiva_advisory-5029.html

 
 
Distribution: Fedora
  10/26/2004 cups-1.1.20-11.6 update
    vulnerabilities fix

A problem with PDF handling was discovered by Chris Evans, and has been fixed. The Common Vulnerabilities and Exposures project (www.mitre.org) has assigned the name CAN-2004-0888 to this issue.

http://www.linuxsecurity.com/advisories/fedora_advisory-5023.html

 
  10/27/2004 glib2
    and gtk2 md5sums update

The md5sums of the glib2-2.4.7-1.1 and gtk2-2.4.13-2.1 updates don’t match the ones in the announcements I sent out.

http://www.linuxsecurity.com/advisories/fedora_advisory-5026.html

 
 
Distribution: Gentoo
  10/24/2004 MySQL
    Multiple vulnerabilities

Several vulnerabilities including privilege abuse, Denial of Service, and potentially remote arbitrary code execution have been discovered in MySQL.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5013.html

 
  10/24/2004 Gaim
    Multiple vulnerabilities

Multiple vulnerabilities have been found in Gaim which could allow a remote attacker to crash the application, or possibly execute arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5014.html

 
  10/25/2004 MIT
    krb5 Insecure temporary file use in send-pr.sh

The send-pr.sh script, included in the mit-krb5 package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5016.html

 
  10/25/2004 Netatalk
    Insecure tempfile handling in etc2ps.sh

The etc2ps.sh script, included in the Netatalk package, is vulnerable to symlink attacks, potentially allowing a local user to overwrite arbitrary files with the rights of the user running the utility.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5017.html

 
  10/25/2004 socat
    Format string vulnerability

socat contains a format string vulnerability that can potentially lead to remote or local execution of arbitrary code with the privileges of the socat process.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5018.html

 
  10/27/2004 mpg123
    Buffer overflow vulnerabilities

Buffer overflow vulnerabilities have been found in mpg123 which could lead to execution of arbitrary code.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5025.html

 
  10/27/2004 rssh
    Format string vulnerability

rssh is vulnerable to a format string vulnerability that allows arbitrary execution of code with the rights of the connected user, thereby bypassing rssh restrictions.

http://www.linuxsecurity.com/advisories/gentoo_advisory-5027.html

 
 
Distribution: Mandrake
  10/22/2004 xpdf
    vulnerabilities fix

Chris Evans discovered numerous vulnerabilities in the xpdf package which can result in DOS or possibly arbitrary code execution.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5000.html

 
  10/22/2004 gpdf
    DoS vulnerability fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as gpdf.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5001.html

 
  10/22/2004 cups
    DoS vulnerabilities fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5002.html

 
  10/22/2004 kdegraphics
    DoS vulnerability fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code, such as kpdf.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5003.html

 
  10/22/2004 squid
    SNMP processing vulnerability fix

iDEFENSE discovered a Denial of Service vulnerability in squid version 2.5.STABLE6 and previous. The problem is due to an ASN1 parsing error where certain header length combinations can slip through the validations performed by the ASN1 parser, leading to the server assuming there is heap corruption or some other exceptional condition, and closing all current connections then restarting.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5007.html

 
  10/22/2004 gpdf
    DoS vulnerability fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5008.html

 
  10/22/2004 kdegraphics
    DoS vulnerability fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5009.html

 
  10/22/2004 CUPS
    DoS vulnerabilities fix

Chris Evans discovered numerous vulnerabilities in the xpdf package, which also effect software using embedded xpdf code.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5010.html

 
  10/22/2004 xpdf
    vulnerabilities fix

Multiple integer overflow issues affecting xpdf-2.0 and xpdf-3.0. Also programs like cups which have embedded versions of xpdf. These can result in writing an arbitrary byte to an attacker controlled location which probably could lead to arbitrary code execution.

http://www.linuxsecurity.com/advisories/mandrake_advisory-5011.html

 
 
Distribution: Red Hat
  10/22/2004 CUPS
    security issues fix

Updated cups packages that fix denial of service issues, a security information leak, as well as other various bugs are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5005.html

 
  10/22/2004 libtiff
    update

Updated libtiff packages that fix various buffer and integer overflows are now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5006.html

 
  10/27/2004 mysql-server update
    update

An updated mysql-server package that fixes various security issues is now available in the Red Hat Enterprise Linux 3 Extras channel of Red Hat Network.

http://www.linuxsecurity.com/advisories/redhat_advisory-5030.html

 
  10/27/2004 xchat
    SOCKSv5 proxy security issue fix

An updated xchat package that fixes a stack buffer overflow in the SOCKSv5 proxy code.

http://www.linuxsecurity.com/advisories/redhat_advisory-5031.html

 
  10/27/2004 xpdf
    security flaws fix

An updated xpdf package that fixes a number of integer overflow security flaws is now available.

http://www.linuxsecurity.com/advisories/redhat_advisory-5032.html

 
 
Distribution: Slackware
  10/22/2004 Gaim
    buffer overflow

A buffer overflow in the MSN protocol handler for GAIM 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and may allow the execution of arbitrary code.

http://www.linuxsecurity.com/advisories/slackware_advisory-5015.html

 
  10/26/2004 apache, mod_ssl, php security issues fix
    buffer overflow

New apache and mod_ssl packages are available for Slackware 8.1, 9.0, 9.1, 10.0, and -current to fix security issues.

http://www.linuxsecurity.com/advisories/slackware_advisory-5021.html

 
 
Distribution: Suse
  10/22/2004 libtiff
    security vulnerability fix

Chris Evans found several security related problems during an audit of the image handling library libtiff, some related to buffer overflows, some related to integer overflows and similar.

http://www.linuxsecurity.com/advisories/suse_advisory-5012.html

 
  10/26/2004 xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups security vulnerability fix
    security vulnerability fix

Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3.

http://www.linuxsecurity.com/advisories/suse_advisory-5019.html

 
  10/26/2004 xpdf, gpdf, kdegraphics3-pdf, pdftohtml, cups remote system compromise
    security vulnerability fix

Chris Evans found several integer overflows and arithmetic errors. Additionally Sebastian Krahmer from the SuSE Security-Team found similar bugs in xpdf 3.

http://www.linuxsecurity.com/advisories/suse_advisory-5022.html