Linux.com weekly security advisory – March 17, 2006

41

Author: Kelley Greenman

This week, Debian, Fedora, Gentoo, Mandriva, Red Hat, and Ubuntu released security advisories. Among the affected packages were Cube, Freeciv, Bomberclone, kdegraphics, WebCalendar, FFmpeg, GnuPG, metamail, Curl, libextractor, Crossfire, Lurker, Zoo, and several other packages. Ubuntu released an important kernel upgrade that addresses several vulnerabilities. FreeBSD did not report any security updates this week.

Vulnerabilities in libavcodec

Late last year, Simon Kilvington reported a bug in FFmpeg libavcodec, versions 0.4.9-pre1 and earlier. Libavcodec is an open source codec library that is included in FFmpeg, an audio and video conversion tool. The problem affects a number of packages including several multimedia and streaming media players such as MPlayer, VLC, Xmovie, and GStreamer.

This week, Debian issued updates for FFmpeg, VLC, and Xine-lib, packages affected by the bug in libavcodec. The VLC media player is vulnerable because it links statically against libavcodec and Xine-lib is vulnerable because it includes a local copy of libavcodec.

According to Kilvington’s bug report, the heap-based buffer overflow vulnerability is located in a boundary error in the avcodec_default_get_buffer() function of utils.c. The problem occurs because the get_buffer function avcodec_default_get_buffer does not allocate enough space for the palette entries in even very tiny images in the PIX_FMT_PAL8 pixel format.

Consequently, the palette data is copied into the data array. The condition causes a heap-based buffer overflow, which causes a segfault in glibc inside free/malloc. The bug can be exploited by using avcodec_decode_video to read a specially crafted 1×1 pixel PNG image file containing a palette.

The heap-based buffer overflow means that packages using FFmpeg libavcodec could be vulnerable to a variety of attacks. A remote attacker could trick a user into opening a malicious audio/visual file containing a specially crafted PNG image. Consequently, the compromised system could be subject to a denial of service attack. An attacker could also exploit the security hole to execute arbitrary code, gaining the privileges of the targeted user.

Debian released updates for the following packages: FFmpeg in the version 0.cvs20050313-2sarge1; VLC in version 0.8.1.svn20050314-1sarge1; and Xine-lib version 1.0.1-1sarge2.


Debian: curl — buffer overflow
March 10, 2006

Several off-by-one errors were discovered in Curl, a command line tool and library for client-side URL transfers. Stefan Esser discovered the errors could lead to a buffer overflow that could allow the execution of arbitrary code or lead to a denial of service. It may also be possible for a remote attacker to craft URLs that enable an attacker to bypass PHP security restrictions. Debian’s advisory indicates that the problems have been addressed for sarge in the curl_7.13.2-2sarge5 package. Additionally, the advisory notes that the “update also includes a bugfix against data corruption.”


Debian: bluez-hcidump — programming error
March 10, 2006

An update fixes a security hole in bluez-hcidump, a utility that examines Bluetooth HCI packets. A remote attacker could exploit the security hole, triggering a denial of service attack. The problem has been fixed in version 1.17-1sarge1.


Debian: zoo — buffer overflow

March 10, 2006

The file archiving utility Zoo is subject to a buffer overflow vulnerability discovered by Jean-Sebastien Guay-Leroux. A remote attacker could trick a user into opening a malformed Zoo archive, which could execute arbitrary code with the privileges of the targeted user. An update fixes the problem in version 2.10-11sarge0.


Debian: ffmpeg — heap-based overflow
March 10, 2006

According to Simon Kilvington, the multimedia library of FFmpeg, libavcodec, contains a heap-based overflow vulnerability. Using specially crafted PNG files, an attacker could execute arbitrary code. An update, ffmpeg_0.cvs20050313-2sarge1, is available.


Debian: gnupg — programming error
March 10, 2006

Tavis Ormandy discovered a programming error in GnuPG, the GNU Privacy Guard. GnuPG will verify an external signature file with a “good signature” status message even when a valid signature is included that does not belong to the data packet. An update, version 1.4.1-1.sarge3, includes a fix for the issue.


Debian: freeciv — denial of service

March 13, 2006

A security vulnerability in Freeciv, the Free Civilization server, was discovered by Luigi Auriemma. The denial of service vulnerability could allow a remote attacker to crash the server. An update is available for Sarge, version 2.0.1-1sarge1.


Debian: metamail — buffer overflow
March 13, 2006

An implementation of Multipurpose Internet Mail Extensions (MIME) known as metamail is vulnerable to a denial of service attack. Due to a buffer overflow vulnerability discovered by Ulf Härnhammar, an attacker could execute arbitrary code or launch a denial of service attack. The problem has been addressed for Sarge in the package metamail_2.7-47sarge1.


Debian: libcrypt — vulnerability
March 13, 2006

When using block encryption algorithms with block sizes of less than 8 bytes, the Perl Crypt::CBC module produces weak ciphertext, according to Lincoln Stein who discovered the problem. The vulnerability has been addressed in the stable distribution (sarge), version 2.12-1sarge1.


Debian: bomberclone — buffer overflow
March 13, 2006

According to Stefan Cornelius of Gentoo Security, the Bomberclone game could crash when processing inordinately long error packets. The buffer overflow vulnerabilities could allow a remote attacker to execute arbitrary code. An update is available for the stable distribution (sarge), version 0.11.5-1sarge1.


Debian: libextractor — several vulnerabilities

March 14, 2006

Libextractor, which is a library that extracts arbitrary meta-data from files, contains several potential vulnerabilities discovered in Xpdf. The problem has been fixed by Derek Noonberg and an update is available for the stable distribution (sarge), version 0.4.2-2sarge3.


Debian: lurker — several vulnerabilities
March 14, 2006

Several vulnerabilities affect Lurker, an archive tool for mailing lists that have an integrated search engine. A remote attacker may be able to overwrite files in any writable directory named mbox. Additionally, an attacker can override configuration files and manipulate Lurker into into reading any file readable by a user. It may also be possible for a malicious attacker to inject arbitrary code. To fix these problems, there is an update for the stable distribution (sarge), version 1.2-5sarge1.


Debian: crossfire — vulnerability
March 14, 2006

The multiple player game Crossfire is vulnerable to the execution of arbitrary code. The game, if running in “oldsocketmode,” performs insufficient bounds checking on network packets. The problem has been addressed in the stable distribution (sarge), version 1.6.0.dfsg.1-4sarge1.


Debian: webcalendar — several vulnerabilities

March 15, 2006

There are several vulnerabilities affecting the PHP-based multiple user calendar, WebCalendar. A remote attacker could execute arbitrary code due to several SQL injection vulnerabilities. Also, files could be overwritten due to missing input sanitizing and a remote attack could run HTTP response splitting attacks by exploiting a CRLF injection vulnerability. This week’s update fixes the problem in the stable distribution (sarge), version 0.9.45-4sarge3.


Debian: xpvm — vulnerability
March 16, 2006

According to Eric Romang, there is a flaw in XPVM, a graphical console and monitor for PVM. An attacker could exploit the flaw by creating a temporary file that enables a local attacker to overwrite or create arbitrary files with the permissions of the targeted user. There is an update available for the stable distribution (sarge), version 1.2.5-7.3sarge1.


Debian: vlc — heap-based overflow
March 16, 2006

A heap-based overflow vulnerability in libavcodec was discovered by Simon Kilvington. According to Kilvington, a remote attacker can use a maliciously crafted PNG image to execute arbitrary code. The problem has been addressed for the stable distribution (sarge), version 0.8.1.svn20050314-1sarge1.


Debian: xine-lib — heap-based overflow

March 16, 2006

Xine-lib includes a local copy of libavcodec, which is vulnerable to a heap-based overflow attack discovered by Simon Kilvington. An attacker could exploit the vulnerability with specially crafted PNG images in order to execute arbitrary code. An update is available for the stable distribution (sarge), version 1.0.1-1sarge2.


Fedora: gnupg — vulnerability
March 13, 2006

Fedora released an update addressing a flaw in GnuPG, a GNU utility for encrypting data and creating digital signatures. Discovered by Tavis Ormandy, the flaw could allow an attacker to craft a message, adding unsigned text to a signed message.


Gentoo: cube — buffer overflow
March 13, 2006

Cube, a game engine that supports multiple players, is vulnerable to a buffer overflow attack according to Luigi Auriemma. A buffer overflow vulnerability in the sgetstr() could be exploited by a remote attacker who could trick a user into executing arbitrary code with the rights of the targeted user. Auriemma also discovered other problems that could cause a denial of service attack or server crash.


Gentoo: zoo — buffer overflow

March 16, 2006

The file archiving utility, Zoo, is vulnerable to a buffer overflow attack. A remote attacker could trick a user into opening maliciously crafted directories or filenames. Due to insecure use of the strcopy() function, this could launch arbitrary code with the rights of the targeted user.


Gentoo: freeciv — denial of service
March 16, 2006

Luigi Auriemma discovered a denial of service vulnerability in the civserver component of Freeciv, a popular, multiple-player game. A remote attacker could use specially crafted packets which, when decompressed, could crash or freeze the Freeciv server.


Red Hat: gnupg — vulnerabilities
March 9, 2006

Red Hat released an update to fix problems with GnuPG discovered by Tavis Ormandy. According to the advisory, one bug could allow a remote attacker to trick a user into processing a message with a malformed detached signature. A second bug could enable a remote attacker to trick a targeted user into processing a message, outputting signed and unsigned data.


SUSE: gpg — remote code execution

March 10, 2006

The GNU Privacy Guard is vulnerable a remote attack. Using specially crafted YaST Online Patch files housed on a compromised YOU mirror server, a remote attacker could trick a user into executing arbitrary code. The SUSE advisory notes that users should be aware that this is a new vulnerability, different from an earlier signature checking problem (SUSE-SA:2006:013 /CVE-2006-0455). Users should update their packages even if they patched the earlier vulnerability.


Ubuntu: libapache2-mod-php4, libapache2-mod-php5 — PHP vulnerabilities
March 10, 2006

According to Stefan Esser, the session modules in libapache2-mod-php4 and libapache2-mod-php5 do not correctly validate the user-supplied session ID. A remote attacker could insert arbitrary HTTP headers into the response sent by the PHP application. The update also fixes vulnerabilities that leave the packages open to Cross Site Scripting (XSS) attacks.


Ubuntu: base-config, passwd — PHP vulnerabilities
March 10, 2006

There is a flaw in the Ubuntu 5.10 installer that might allow any local user to see the password belonging to the first user account. By default, the first user account has full sudo privileges. According to Ubuntu’s advisory, the update will remove the passwords and “make the log files readable only by root.”


Ubuntu: kernel — several vulnerabilities

March 12, 2006

Ubuntu released a kernel update, advising users to upgrade the affected package to versions 2.6.8.1-16.28 (for Ubuntu 4.10), 2.6.10-34.12 (for Ubuntu 5.04), and 2.6.12-10.30 (for Ubuntu 5.10).


Ubuntu: gnupg — vulnerability
March 12, 2006

A flaw in GnuPG’s signature verification process discovered by Tavis Ormandy affects GPG, the GNU Privacy Guard. The flaw could result in Peg reporting a good signature even though there may be unsigned data added to the checked message.

Category:

  • Security