Author: Kelley Greenman
As a reminder, Red Hat, Ubuntu, and SUSE issued updates for the Firefox browser last week. This week, Debian, Gentoo, and Mandriva issued updates for Firefox as well. In last week’s Firefox advisories, vendors warned that the problems in Firefox also affected Mozilla’s email client, Thunderbird. However, since vendors thought the Firefox vulnerabilities carried greater security risks, they waited to issue updates for Thunderbird packages. The vulnerabilities presented less of a risk to Thunderbird since the default installation does not use JavaScript and users are encouraged not to turn JavaScript on. This week, Mandriva, Red Hat, and SUSE issued updates for Thunderbird. Look for other vendors to issue their updates soon as well.
Fedora, Mandriva, and Gentoo issued security updates for Ethereal, a network protocol analyzer (‘packet sniffer’) with a Graphical User Interface (GUI). An upgrade to the latest version 0.99.0 addresses 28 vulnerabilities, many of them critical, found in versions 0.8.5 through 0.10.14. While the vendor located many of the problems, the software-engineering firm, Coverity, also discovered multiple vulnerabilities while performing a security audit under a grant from the US Department of Homeland Security.
The security holes included infinite loop vulnerabilities, off-by-one errors, and several buffer overflow vulnerabilities. The security problems rendered Ethereal vulnerable to a variety of remote attacks such as Denial of Service (DoS) attacks, application crashes, and the execution of arbitrary commands.
Buffer Overflow Vulnerabilities
Security researchers at Coverity discovered several buffer overflows in versions 0.10.x up to 0.10.14. Remote attackers could take advantage of the problems to launch a DoS or execute arbitrary code in the ALCAP dissector, the Network Instruments file code, or the NetXray/Windows Sniffer file code. Coverity also discovered a buffer overflow vulnerability in the telnet dissector. The problem affects version 0.8.5 up to 0.10.14 and an attacker could exploit the security hole in order to execute arbitrary code. In versions 0.9.15 up to 0.10.14, Ethereal developers located a buffer overflow vulnerability in the COPS dissector. Remote attackers could exploit the problem, causing a DoS or the execution arbitrary code.
Unspecified Vulnerabilities
Coverity and the Ethereal team discovered a variety of unspecified vulnerabilities. In versions 0.10.x up to 0.10.14, there are weaknesses in H.248, X.509if, SRVLOC, H.245, and AIM. The Coverity security team also located similar problems in the general packet dissectors and the statistics counter. Remote attackers could exploit the problems to cause a null dereference and, consequently, crash the application.
The audit team also discovered several unspecified vulnerabilities with the SNDCP dissector, a problem that affected versions 0.10.4 up through 0.10.14. A remote attacker could exploit the condition to cause the SNDCP dissector to abort and cause a DoS. In versions 0.8.x up to 0.10.14, Coverity also located unspecified vulnerabilities located in the Sniffer capture or the SMB PIPE dissector. A remote attacker could exploit the problems with a maliciously crafted Sniffer capture to cause a null dereference. The condition could lead to a DoS crash.
Programming Errors
The vendor and Coverity also reported several programming errors. The vendor reported an off-by-one error located in the OID printing routine, a problem which affects versions 0.10.x up to 0.10.14. The impact of the vulnerability and the attack vectors were unknown as of publication. In versions 0.10.12 through 0.10.14, vulnerabilities could cause the UMA or BER dissectors to go into an infinite loop. A remote attacker could exploit the problem by sending specially crafted packets to the UMA or BER dissectors to generate large or infinite loops and cause a DoS. The Coverity team also discovered problems in the following dissectors: RPC, DCERPC, ASN.1, GSM SMS, DCERPC NT, and PER. A remote attacker could exploit the problems, creating a null dereference that crashes the application and causes a DoS.
As Ethereal’s developer, Gerald Combs, warns, an attacker could exploit these vulnerabilities to cause the application to crash, deplete system resources, or run arbitrary code. There are no workarounds given the scope and severity of the vulnerabilities. If you’re running Ethereal, please be sure to upgrade your packages to version 0.99.0.
Vulnerabilities affecting several packages
Package: cyrus-sasl2, cyrus, sas1 — programming error
CVE: CVE-2006-1721
April 25, 2006
According to the Mu Security research team, there is a programming error in the Simple Authentication and Security Layer authentication library (SASL). A remote attacker could exploit the problem by sending malformed inputs in DIGEST-MD5 negotiation, causing a segmentation fault. The attacker could cause a DoS even if the attacker is unable to authenticate. The problem affects a number of packages including Sendmail, Postfix, and OpenLDAP.
Affected distributions: Debian cyrus-sas12, Gentoo cyrus-sas1, and Ubuntu cyrus-sas12.
Package: firefox, mozilla– multiple vulnerabilities
CVE:CVE-2006-0749, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1729, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1740, CVE-2006-1741, CVE-2006-1742
April 26, 2006
Several vendors have released updates for their Firefox and Mozilla packages. The updates address multiple vulnerabilities, many of which involve the way Firefox and the Mozilla Suite process malicious JavaScript. Some of the more critical vulnerabilities could allow an attacker to do the following:
- Modify the content of another Web page in order to steal sensitive data or conduct cross-site scripting (XSS) attacks.
- Launch arbitrary JavaScript instructions with the permissions of “chrome” in order to steal sensitive data or install malware.
- Execute arbitrary code with the privileges of the user operating Firefox.
- Spoof a secure site when the browser is configured to display a secure site dialog warning.
- Trick users into filling out a form on a malicious Web page in order to obtain arbitrary files from the victim’s computer.
Affected Distributions:Debian Mozilla-Firefox, Debian Mozilla, Gentoo Mozilla-Firefox, Mandriva Mozilla-Firefox, Red Hat Mozilla, Red Hat Firefox.
Package: zvg, xzvg — heap-based buffer overflow
CVE:CVE-2006-1060
April 21, 2006
Andrea Barisani discovered a heap-based buffer overflow vulnerability that affects both zvg and xzvg, which are graphics viewers for svgalib. An attacker could exploit the vulnerability by using malformed JPEG images in order to execute arbitrary code.
Affected Distributions: Debian zvg, Debian xzvg, Gentoo xzvg.
Package: thunderbird — multiple vulnerabilities
CVE: CVE-2006-0292, CVE-2006-0296, CVE-2006-0748, CVE-2006-0749, CVE-2006-0884, CVE-2006-1045, CVE-2006-1724, CVE-2006-1727, CVE-2006-1728, CVE-2006-1730, CVE-2006-1731, CVE-2006-1732, CVE-2006-1733, CVE-2006-1734, CVE-2006-1735, CVE-2006-1737, CVE-2006-1738, CVE-2006-1739, CVE-2006-1741, CVE-2006-1742, CVE-2006-1790
April 25, 2006
Mandriva, SUSE, and Red Hat issued updates to address multiple vulnerabilities in Mozilla’s Thunderbird email client. An attacker could exploit the vulnerabilities by creating malicious email messages in order to steal files and execute arbitrary code with the permissions of the targeted user. The update also fixes two bugs that can cause Thunderbird to crash.
Affected Distributions: Mandriva, Red Hat, SUSE.
Package: ethereal — multiple vulnerabilities
CVE:CVE-2006-1932, CVE-2006-1933, CVE-2006-1934, CVE-2006-1935, CVE-2006-1936, CVE-2006-1937, CVE-2006-1938, CVE-2006-1939, CVE-2006-1940
April 25, 2006
Ethereal issued updates for several critical security vulnerabilities, including multiple buffer overflow vulnerabilities and potential DoS vulnerabilities.
Affected Distributions: Fedora, Mandriva, and Gentoo.
Package: php — multiple vulnerabilities
CVE:CVE-2006-0996, CVE-2006-1494, CVE-2006-1608
April 24, 2006
There are several vulnerabilities in PHP. The problems could be exploited by malicious users to launch various attacks:
- An attacker could exploit a cross-site scripting (XSS) vulnerability in phpinfo (info.c) in order to inject arbitrary Web script or HTML.
- A local attacker could exploit a directory traversal vulnerability in file.c in order to bypass open_basedir restrictions. Once compromised, an attacker could escalate their privileges or create arbitrary directories via the tempname function.
- Local users could exploit the copy function in file.c in order to bypass safe mode and read arbitrary files via a source argument containing a compress.zlib:// URI..
Mandriva advises users to update their packages and, after doing so, run service httpd restart.
Affected Distributions:Mandriva and Red Hat.
Package: ruby — format string vulnerability
CVE:CVE-2006-1931
April 25, 2006
Yukihiro Matsumoto located a vulnerability in the way Ruby’s HTTP module uses blocking sockets. An attacker could exploit the problem by sending large volumes of data to the server using Ruby. Consequently, the attacker could render Ruby unusable, since it is unable to respond to other requests.
Affected Distributions:Mandriva and Ubuntu.
Vulnerabilities listed by distribution
Debian: blender — multiple vulnerabilities
April 24, 2006
Debian has fixed multiple vulnerabilities in Blender. Joxean Koret discovered one problem in the 3D graphics creation suite: missing input validation could allow an attacker to execute arbitrary commands. Damien Put identified a buffer overflow vulnerability that could be exploited by an attacker to launch arbitrary code or a DoS attack. Debian has issued an update for the stable distribution (sarge), version 2.36-1sarge1.
Debian: gdm — vulnerability
April 24, 2006
GDM is a display manager for X. It is vulnerable to local attack because of a race condition when GDM handles the .ICEauthority file. The attacker could exploit the problem to escalate access privileges. Debian’s update fixed the problem in the stable distribution (sarge), version 2.6.0.8-1sarge2.
Debian: abc2ps, abcmidi-yaps — buffer overflow vulnerabilities
April 25, 2006
Erik Sjölund discovered buffer overflow vulnerabilities in abc2ps and abcmidi-yaps, both of which translate ABC music description files into PostScript. According to Sjölund, ABC2ps does not check the boundaries when reading in ABC music files. Debian has issued a patch to fix abc2ps in the stable distribution (sarge), version 1.3.3-3sarge1, as well as a patch for abcmidi-yaps in the stable distribution (sarge), version 20050101-1sarge1.
Debian: openvpn — design error
April 27, 2006
Hendrik Weimer found a design error in the Virtual Private Network daemon, OpenVPN. The error pushes environment variables to a client and allows a malicious VPN server to take over connected clients. Debian has issued a patch for the stable distribution (sarge), version 2.0-1sarge3.
Fedora: beagle — update
April 21, 2006
Fedora issued an upgrade for BEAGLE, a search infrastructure. The update fixes several problems including a security vulnerability that could allow an attacker to inject command line arguments into the indexer helper.
Fedora: libtiff — vulnerability
April 27, 2006
Fedora issued an update for libtiff-3.7.1-6.fc4.1 and libtiff-3.7.4-4. A remote attacker could exploit several vulnerabilities with a specially crafted TIFF image. The malicious file could cause the following:
- Errors in the TIFFFetchAnyArray function in tif_dirread.c.
- Errors in certain “codec cleanup methods” in tif_lzw.c, tif_pixarlog.c, and tif_zip.c.
- Improper restoration of setfield and getfield methods in cleanup functions within tif_jpeg.c, tif_pixarlog.c, tif_fax3.c, and tif_zip.c.
Gentoo: crossfire — vulnerability
April 22, 2006
Luigi Auriemma located a vulnerability in the role-playing game, Crossfire. The problem occurs when the package handles the “oldsocketmode” option when processing overly large requests. According to the advisory, an attacker could exploit the vulnerability to launch a DoS attack on the Crossfire server. An attacker could also launch arbitrary code to gain the permissions of the game server.
Gentoo: fbida — vulnerability
April 23, 2006
According to Jan Braun, fbida’s “fbgs” script creates insecure temporary files in the “/var/tmp” directory. An attacker could exploit the problem by creating links in the temporary file directory which point to a valid file in the filesystem, giving the attacker the rights of the user running the compromised script.
Gentoo: dia — buffer overflow
April 23, 2006
Dia is a diagram creation program which is vulnerable to a buffer overflow in the XFig file import plugin, a problem discovered by infamous41md. An attacker could exploit the security hole, using a specially crafted file to execute arbitrary code with the rights of the user running Dia.
Gentoo: xine-ui — format string vulnerability
April 26, 2006
Xine-ui is a user interface for xine, which is an open source multimedia player. Ludwig Nussel found a format string vulnerability in the way xine-ui implemented formatted printing. A malicious attacker could use specially crafted play lists to execute arbitrary code with the permissions of the user running the application.
Gentoo: xine-lib — buffer overflow vulnerabilities
April 26, 2006
Xine-lib contains buffer overflow vulnerabilities according to Frederic L. Bossi Bonin. A remote attacker could use maliciously crafted MPEG files to execute arbitrary code with the privileges of the user running Xine-ui.
Mandriva: module-init-tools –programming error
April 27, 2006
Mandriva issued an update for a security vulnerability in the default configuration of Module-Init-Tools. When the ‘usblp’ kernel module is loaded while Module-Init-Tools is in the default configuration, it sends a HUP signal to the CUPS daemon. Since udev also sends a HUP signal to the CUPS daemon on plug in of a USB printer , the two consecutive HUPS can cause the CUPS daemon to crash.
Red Hat: ipsec-tools — vulnerability
April 25, 2006
The ipsec-tools package, which is used in Racoon, an IKEv1 keying daemon, contains a security vulnerability which an attacker could exploit to crash the daemon. The problem only occurs when the Racoon daemon is configured insecurely. Default installations are not affected by the vulnerability.
Category:
- Security
