Author: Kelley Greenman
This week, the vendors Debian and Ubuntu issued updates for GNU Mailman, the GNU Mailing List Manager. Mailman is primarily written in the Python programming language, but developers also rely on some C code. Mailman is used to manage email distribution for discussion lists, announcement lists, and electronic newsletters. Since email list administrators can use a Web-based interface to manage the list and Mailman includes its own archiving feature, it offers a flexibility that makes it very popular with users.
Duncan S. Salada discovered the vulnerability, which is located in the attachment scrubber, Scrubber.py, in Mailman versions 2.1.5 and earlier. The problem only affects installations which use the Python library email module 2.5, which is part of Python. According to Mark Sapiro, the bug in Scrubber.py “contains the following insert before the ‘size = len(payload)’.” It is commented out in Mailman’s precompiled code:
# XXX Under email 2.5, it is possible that payload will be None. # This can happen when you have a Content-Type: multipart/* with # only one part and that part has two blank lines between the # first boundary and the end boundary. In email 3.0 you end up # with a string in the payload. I think in this case it's safe to # ignore the part. if payload is None: continue size = len(payload)
The problem renders Mailman susceptible to a remotely launched Denial of Service attack, which causes the service to stop distributing email messages for the affected list(s). Email distribution ends when subsequent email messages end up in the shunt queue (qfiles/shunt/). Since the message or parts of it is still in the list/<listname>/digest.mbox, each new message yields yet another error, exacerbating the problem and causing the Denial of Service.
Debian and Ubuntu developers have fixed the issue in version 2.1.6. However, if you’re using Mailman versions 2.1.5 and earlier you should be sure to update your packages.
While no security updates have been issued by vendors to address the following vulnerability, it is included in this bulletin for those unaware that another security threat affects Mailman packages. Michael Meissner initially discovered the vulnerability on February 2, 2006.
An investigation revealed that the attack, which occurred on January 2, targeted the configuration database for the mailing list at Netsys.com. It was compromised by a remote attacker using a directory traversal exploit. The attack took advantage of a vulnerability in Mailman 2.1.5 that had not been published. The Mailman security team immediately issued an advisory, deeming the problem critical since it could be exploited by an attacker to obtain passwords belonging to mailing list subscribers. Users were encouraged to upgrade to Mailman version 2.1.6, since the security hole was fixed prior to distribution.
Upon further investigation, researchers discovered the problem only affected Mailman, versions 2.1 through 2.1.5, when using Python’s library email module 2.5. According to the initial security advisory, the security risk depends on a variety of factors such as which version of Apache is installed and how it is configured. Initially, many installations of Apache 1.3 were considered vulnerable to the risk, while Apache 2 x versions appeared to be unaffected by the problem.
Meissner located the directory traversal vulnerability in Mailman’s private module, the true_path function in private.py: Mailman/Cgi/private.py file: def true_path(path). The problem meant that “…/….///” sequences were incorrectly sanitized by regular expressions which are supposed to remove “../” and “./” sequences. Consequently, the flawed path vulnerability could be exploited by an attacker using a maliciously crafted URL fragment in the form of “…/….///”. Crafted this way, the URL could pass through the function and return as “../”. The resulting directory traversal uses an URL syntax to retrieve arbitrary files readable by Mailman. The malicious URL contains the following syntax:
/mailman/private/<list>/<path>?username=<username>&password=<password>
Consequently, the attacker could gain access to databases containing user passwords, the Mailman configuration database, private list archives, and other sensitive files. Researchers also believed that the vulnerability could also be used to launch a Denial of Service attack.
The Mailman development team recommends that users apply a patch to Mailman as soon as possible. They also recommend that users republish email list member passwords by using the Mailman 2.1.6 reset_pw.py script. Once the passwords are regenerated, place the file in Mailman’s installation bin directory. Finally, the security announcement recommends that users manually run the cron/mailpsswds script to send new passwords to list subscribers.
Debian: libapreq2-perl — denial of service
April 3, 2006
A previous update did not fix an algorithm weakness in Apache2::Request. The problem, discovered by Gunnar Wolf, could be exploited by a remote user to launch a Denial of Service attack.
Debian: kaffeine — buffer overflow
April 5, 2006
Marcus Meissner discovered an unchecked buffer in Kaffeine, a media player for KDE 3. An attacker could exploit the security hole in order to execute arbitrary code.
Debian: storebackup — several vulnerabilities
April 5, 2006
There are several vulnerabilities in storebackup, a backup utility. The vulnerability could leave the package vulnerable to a symlink attack or data leaks.
Debian: libapreq2-perl — vulnerability
April 5, 2006
An earlier update for Libapreq2-perl was incomplete, according to Gunnar Wolf. The unspecified vulnerability, an algorithm weakness in Apache2::Request, could be exploited by a remote attacker to cause a Denial of Service attack.
Debian: clamav — several vulnerabilities
April 5, 2006
The anti-virus toolkit ClamAV is subject to multiple vulnerabilities which could be exploited to launch Denial of Service attacks or execute arbitrary code. The update contains a fix for the stable distribution (sarge), version 0.84-2.sarge.8.
- There is an integer overflow in the PE header parser. Damien Put discovered the vulnerability which can only be exploited when the ArchiveMaxFileSize option is disabled.
- There are format string vulnerabilities in the logging code, leaving the package open to the execution of arbitrary code.
- There is a vulnerability in the cli_bitset_set() function, which was discovered by David Luyer. An attacker could exploit the security hole to launch a Denial of Service attack.
Debian: dia — buffer overflow
April 6, 2006
Infamous41md discovered three buffer overflow vulnerabilities in Dia. The problems are located in the Xfig import code and they can be exploited by an attacker to execute arbitrary code. Debian has released an update for Sarge.
Debian: sash — vulnerabilities
April 6, 2006
According to Markus Oberhumer, there are two flaws in Zlib, a library used in packages like Sash, which compress and decompress files. The first problem is located in Zlib’s handling of invalid input. It can cause Zlib to crash when handling an invalid file. The second problem occurs when Zlib decompresses files, causing Zlib to crash when opening specially crafted files.
Debian: mailman — denial of service
April 6, 2006
The mailing list manager, Mailman, is vulnerable to a Denial of Service attack. The attachment scrubber incorrectly handles malformed multipart MIME messages containing a single part that has two blank lines between the first boundary and the end boundary. The problem affects Mailman versions 2.1.5 and earlier, but only when using Python’s library email module 2.5.
Fedora: samba — multiple vulnerabilities
March 31, 2006
Fedora released an update for Samba, a suite that provides file and print services. The update fixes a problem with the winbindd daemon in Samba 3.0.21 and subsequent patch releases (3.0.21a-c). According to Samba’s original advisory the daemon “writes the clear text of server’s machine credentials to its log file at level 5. The winbindd log files are world readable by default.”
Fedora: sendmail — programming flaw
April 5, 2006
Mark Down of ISS X-Force reported a bug in Sendmail, the popular Mail Transport Agent (MTA). Sendmail is vulnerable to a race condition when handling asynchronous signals and could be exploited by a remote attacker in order to gain the privileges of a targeted user running Sendmail.
Fedora: dia — buffer overflow
April 5, 2006
Dia contains three buffer overflow vulnerabilities discovered by Infamous41md. Located in the Xfig import code (xfig-import.c), the problem could be exploited by an attacker using maliciously crafted Xfig files containing an invalid color index, number of points, or depth.
Gentoo: horde — vulnerability
April 2, 2006
The Horde Application Framework contains two vulnerabilities addressed in the latest update. The first, discovered by Jan Schneider, is located in the help viewer. The security hole could be exploited by a remote attacker to launch arbitrary code with the permissions of the targeted user. Paul Craig discovered the second problem: the “services/go.php” incorrectly validates the passed URL parameter. The condition could allow an attacker to read arbitrary files by exploiting the input validation issue in go.php.
Gentoo: freeradius — vulnerability
April 4, 2006
A validation issue in the EAP-MSCHAPv2 module of FreeRADIUS could allow an attacker to override authentication controls. The problem could also leave FreeRADIUS vulnerable to a Denial of Service attack because there is insufficient input validation when running the EAP-MSCHAPv2 state machine module.
Gentoo: mediawiki — vulnerability
April 4, 2006
The popular collaborative editing software, MediaWiki, is vulnerable to a cross-site scripting attack. The problem occurs because MediaWiki does not correctly decode encoded URLs. An attacker could create malicious links to exploit the vulnerability, injecting malicious HTML or JavaScript code in order to compromise a vulnerable user’s browser. This cross-site scripting attack could allow arbitrary JavaScript code execution.
Gentoo: kaffeine — buffer overflow
April 5, 2006
Kaffeine is a graphical interface used with the Xine-lib multimedia library. It contains an unchecked buffer overflow vulnerability when retrieving RAM play lists via HTTP. A malicious attacker could trick a user into fetching a specially created RAM play list in order to launch arbitrary code with the privileges of the targeted user.
Gentoo: doomsday — format string vulnerabilities
April 6, 2006
The gaming engine, Doomsday, is subject to format string vulnerabilities discovered by Luigi Auriemma. The package does not correctly implement formatted printing. Consequently, it can be exploited by an attacker sending malicious strings in order to execute arbitrary code with the rights of the user running the Doomsday server or client.
Gentoo: horde — vulnerability
April 2, 2006
The Horde Application Framework contains two vulnerabilities. The first, discovered by Jan Schneider, is located in the help viewer, the security hole could be exploited by a remote attacker to launch arbitrary code with the permissions of the targeted user. Paul Craig found the second problem: the “services/go.php” incorrectly validates the passed URL parameter. The condition could allow an attacker to read arbitrary files by exploiting the input validation issue in go.php.
Mandriva: php — vulnerability
April 2, 2006
PHP contains an information leak vulnerability where, according to the Mandriva security bulletin, “the html_entity_decode() function would return a chunk of memory with length equal to the string supplied.” The problem may involve user data, PHP code, and PHP ini data. An attacker could exploit the security hole to access memory content. After updating the package, Mandriva’s security team cautions users to issue “a ‘service httpd restart’ in order for the fixed packages to be properly loaded.”
Mandriva: dia — buffer overflow
April 3, 2006
Infamous41md discovered three buffer overflow vulnerabilities in Xfig import code (xfig-import.c) in Dia, an open source drawing program. The problem could be exploited by an attacker using maliciously crafted Xfig files containing an invalid color index, number of points, or depth.
Mandriva: mysql — vulnerability
April 3, 2006
A vulnerability in MySQL versions 5.0.18 and earlier could be exploited by a local user in order to bypass logging mechanisms The mysql_real_query function incorrectly handles the NULL character in SQL queries.
Mandriva: kaffeine — buffer overflow
April 5, 2006
Kaffeine contains an unchecked buffer discovered by Marcus Meissner. The popular media player for KDE 3 is vulnerable to exploits that use malicious RAM play lists in order to launch arbitrary code on the host machine.
Mandriva: freeradius — vulnerabilities
April 5, 2006
The sql_error function in sql_unixobcd.c has an off-by-one error in FreeRADIUS, a widely used authentication server. A remote attacker could exploit the problem to execute arbitrary code and cause the external database query to fail. Alternatively, the vulnerability could be used to launch a Denial of Service attack, crashing the server.
Red Hat : openmotif — vulnerability
April 4, 2006
OpenMotif contains several buffer overflow vulnerabilities located in the libUil library. An attacker could exploit the flaws by luring a user into launching a program linked against OpenMotif. By doing so, the attacker could load a malicious User Interface Language (UIL) file.
Red Hat : freeradius — vulnerabilities
April 4, 2006
FreeRADIUS is subject to vulnerabilities that could allow a remote attacker to launch a Denial of Service attack because there is insufficient input validation when running the EAP-MSCHAPv2 state machine module. Additionally, there is a problem with the way “FreeRADIUS logs SQL errors from the sql_unixodbc module.” The vulnerability could be exploited to crash the server or execute arbitrary code by manipulating the SQL database to which FreeRADIUS is connected.
Red Hat : tzdata — vulnerability
April 4, 2006
This vulnerability affects Sri Lankan users of tzdata, a package that contains time zone files and rules. Red Hat’s security team advises users to be sure to rerun system-config-date to update the local time zone in /etc/localtime.
Ubuntu: dia — buffer overflow
April 3, 2006
A buffer overflow vulnerability affects Dia, Dia-gnome, and Dia-libs. The vulnerability is located in the Xfig file format importer. An attacker could trick a user into opening a maliciously crafted .fig file with Dia in order to execute arbitrary code with the permissions of the targeted user.
Ubuntu: mailman — denial of service
April 3, 2006
The popular GNU mailing list manager, Mailman, is vulnerable to a Denial of Service attack. The problem was located in the decoder used for multipart messages. A remote attacker could exploit the security hole by sending malicious email attachments to a mailing list.
Ubuntu: kaffeine — buffer overflow
April 6, 2006
Kaffeine contains a buffer overflow in the http_peek() function, a vulnerability discovered by Michael Meissner. A remote attacker could trick a user into opening a malicious RAM play list in order to execute arbitrary code with the permissions of the targeted user.
Category:
- Security
