March 24, 2006

Linux.com weekly security advisory - March 24, 2006

Author: Kelley Greenman

This week, Debian, Fedora, FreeBSD, Gentoo, Mandriva, Red Hat, SUSE, and Ubuntu released security advisories. Affected packages include Sendmail, PHP, Ilohamail, Crossfire, kdegraphics, Drupal, Xorg, Heimdal, Metamail, Crypt::CBC, Pingcrush, Flash Player, Peercast, IPsec, OPIE, Evolution, and several other packages. Mandriva released an important kernel upgrade that addresses several vulnerabilities that could leave users' systems open to denial of service attacks, and several distributions addressed a critical Sendmail vulnerability.

Sendmail vulnerability

Debian, FreeBSD, Gentoo, Mandriva, Red Hat, and SUSE released security updates addressing a critical vulnerability in the Sendmail mail transfer agent (MTA). By some estimates, Sendmail handles an estimated 50% to 75% of all email traffic on the Internet.

The vulnerability in Sendmail involves a programming error that causes a signal race issue when handling email from remote clients. Mark Dowd of ISS X-force discovered the flaw, which is located in errors found in the setjmp(), longjmp(), and sm_syslog() functions.

These errors cause Sendmail to handle asynchronous signals incorrectly. Consequently, when Sendmail processes timeouts, the signal handler will leave static data elements in an inconsistent state.

According to the ISS X-force security advisory, the inconsistent data elements could potentially be used "to write data to invalid parts of the stack" in order to take control of the vulnerable process.

This is a critical issue since an attacker does not need to trick a user into opening a maliciously crafted file. Instead, an attacker simply needs to be connected to Sendmail's SMTP server in order to trigger an attack. Once connected, an attacker can take advantage of the weakness indefinitely because every client connection prompts Sendmail to spawn a new process.

In order to exploit the flaw in Sendmail, an attacker can send malicious data packets that force the SMTP server to timeout at set intervals, corrupting the arbitrary stack memory. The condition could enable the attacker to obtain the privileges of the user running Sendmail's server daemon access. When Sendmail is running as root, an attacker could gain root access to the compromised host.

Since the vulnerability could allow an attacker to gain root privileges on a targeted system, there is a chance that an attacker could access confidential information and exploit other vulnerabilities on the compromised system. Thus, the attack could result in cascading failures that negatively affect productivity.

Sendmail is the default MTA provided by several Linux distributions, so be sure to update your packages. Due to the critical nature of the vulnerability, users should monitor the Sendmail logs to be sure that the upgrade was successful.


Debian: drupal -- several vulnerabilities
March 17, 2006

Debian reports several vulnerabilities in Drupal, a popular content management system. The vulnerabilities leave the package open to a variety of remote exploits that could allow an attacker to gain user privileges, access and alter data, and use Drupal as a spam relay among other things. The problems have been addressed for Sarge in version 4.5.3-6.


Debian: kdegraphics -- buffer overflow
March 17, 2006

A recently issued patch in DSA 932 for Kpdf did not address all the buffer overflow vulnerabilities, according to researcher Marcelo Ricardo Leitner. An attacker could exploit the vulnerabilities in order to execute arbitrary code. The latest update fixes the problem for the stable distribution (sarge), version 3.3.2-2sarge4.


Debian: libmail-audit-perl -- insecure temporary file
March 20, 2006

Niko Tyni located a security issue in Mail::Audit, a Perl module for creating mail filters. According to Tyni, when logging is turned on, the module logs insecurely to a temporary file with a predictable filename. The latest update includes a fix for the stable distribution (sarge), version 2.1-5sarge4.


Debian: ilohamail -- missing input sanitizing

March 20, 2006

The multilingual Web-based IMAP/POP3 client Ilohamail is vulnerable to remote attack according to Ulf Härnhammar of the Debian Security Audit Project. Ilohamail does not consistently sanitize user input leaving the mail client open to remote injection of arbitrary Web script or HTML. The problem has been resolved in the latest update for the stable distribution (sarge), version 0.8.14-0rc3sarge1.


Debian: crossfire -- buffer overflow
March 21, 2006

A buffer overflow vulnerability can leave the multiplayer game Crossfire open to remote execution of arbitrary code. An update is available for the stable distribution (sarge), version 1.6.0.dfsg.1-4sarge2.


Debian: unzip -- buffer overflow
March 21, 2006

Unzip, a utility for decompressing ZIP files, is vulnerable to a buffer overflow exploit that could allow an attacker to execute arbitrary code. An update is available for the stable distribution (sarge), 5.52-1sarge4.


Debian: snmptrapfmt -- buffer overflow
March 22, 2006

Will Aoki reported a vulnerability in snmptrapfmt, which is a configurable snmp trap handler daemon for snmpd. The problem occurs because, according to the advisory, the package "does not prevent overwriting existing files when writing to a temporary log file." The update fixes the problem in the stable distribution (sarge), version 1.08sarge1.


Debian: firebird2 -- buffer overflow

March 23, 2006

Firebird2, an RDBMS based InterBase 6.0 code, is vulnerable to attack due to a buffer overflow vulnerability discovered by Aviram Jenik and Damyan Ivanov. The weakness could allow a remote attacker to launch a Denial of Service (DoS) attack. The problem has been addressed an update issues for the stable distribution (sarge), version 1.5.1-4sarge1.


Debian: sendmail -- programming error
March 23, 2006

Mark Dowd of ISS X-force discovered a programming bug in Sendmail. A race condition exists when Sendmail handles asynchronous signals. The vulnerability could be exploited by an attacker in order to execute arbitrary code and gain the privileges of the root user. This problem has been fixed for the stable distribution (sarge), version 8.13.4-3sarge1.


Debian: evolution -- format string vulnerabilities
March 23, 2006

According to Ulf Härnhammar, multiple format string vulnerabilities exist in the free groupware suite, Evolution. The problem could allow an attacker to crash the application or execute arbitrary code. The problem has been fixed with the latest update for the stable distribution (sarge), 2.0.4-2sarge1.


Debian: kernel -- multiple vulnerabilities
March 23, 2006

Debian released a kernel update that addresses multiple security vulnerabilities that could lead to both local and remote DoS attacks. Affected distributions are also vulnerable arbitrary code execution by malicious attackers. According to Debian's advisory, developers have introduced a "change in the kernel's binary interface" and "the affected kernel packages inside Debian have been rebuilt." Consequently, a user running local add-ons should be sure to rebuild them also.


Fedora: xorg-x11 -- vulnerability

March 20, 2006

Alan Coopersmith of the X.Org development team discovered critical security issues in the Xorg server. An attacker could exploit the vulnerabilities to gain the privileges of the root user. The security announcement from Fedora also noted that the vulnerability could allow an attacker to overwrite root writable files by using the -log file command line argument.


Fedora: beagle -- several vulnerabilities
March 20, 2006

The data search package Beagle contains multiple security vulnerabilities. Fedora has released an update to address the issue.


Fedora: curl -- heap-based buffer overflow
March 21, 2006

A heap-based memory buffer overflow vulnerability in curl was discovered by Ulf Härnhammer. A remote attacker could exploit the overflow vulnerability by tricking a user into using an HTTP server to redirect to a malicious TFTP URL. Additionally, this update also addresses installation problems in multilib.


FreeBSD: ipsec -- programming error
March 22, 2006

A programming error in the fast_IPsec implementation means the package incorrectly handles sequence number verification checks. The vulnerability could allow an attacker to intercept IPsec packets.


FreeBSD: opie -- vulnerability

March 23, 2006

OPIE, a one-time password system, is vulnerable to a security weakness that could allow an attacker who could run commands without being logged in. Consequently, the attacker could run scripts that could give the attacker access to the root user privileges.


FreeBSD: sendmail -- programming error
March 23, 2006

A programming error in Sendmail was discovered by Mark Down of ISS X-Force. A race condition exists when Sendmail handles asynchronous signals. A remote attacker may be able to execute arbitrary code with the privileges of the user running Sendmail.


Gentoo: crypt::cbc -- vulnerability
March 17, 2006

When running in RandomIV mode, Crypt::CBC incorrectly handles 16 byte initialization vectors according to Lincoln Stein. If the blocksize of the cipher is greater than eight bytes, the second part of every block will be encrypted with zeroes. The vulnerability could be exploited by an attacker in order to bypass security controls and access sensitive information.


Gentoo: pear-Auth -- vulnerability
March 17, 2006

According to Matt Van Gundy who discovered the flaw, PEAR-Auth incorrectly verifies data transferred to the DB and LDAP containers. The flaw could allow a remote attacker to override security controls by with maliciously crafted input injected into underlying storage containers.


Gentoo: heimdal -- privilege escalation vulnerability
March 17, 2006

There is an error in the rshd daemon of Heimdal, which is a free implementation of Kerberos 5. An authenticated user could exploit the vulnerability in order to gain escalated privileges or to alter the content or ownership of files.


Gentoo: metamail -- buffer overflow
March 17, 2006

Metamail, an implementation of Multipurpose Internet Mail Extensions (MIME), contains a buffer overflow vulnerability that was discovered by Ulf Härnhammar. An attacker could send a maliciously crafted email to exploit the security hole. The attack could crash Metamail or allow the execution of arbitrary code.


Gentoo: peercast -- buffer overflow
March 17, 2006

PeerCast, a peer to peer broadcasting technology for watching Internet radio and video, contains a vulnerability discovered by INFIGO. A remote attacker could exploit the weakness by sending a malicious request to the HTTP server which could cause a stack overflow in the buffer that would enable the attacker to execute arbitrary code.


Gentoo: pingcrush -- buffer overflow

March 21, 2006

Carsten Lohrke of Gentoo Linux discovered a vulnerability in Pingcrush, an optimizer for PNG files. The security hole leaves Pingcrush vulnerable to a buffer overflow that could be exploited by a remote attack in order to execute arbitrary code or launch a DoS attack.


Gentoo: curl/libcurl -- buffer overflow
March 21, 2006

Ulf Härnhammar found a buffer overflow vulnerability in Libcurl that affects curl, a command line tool. The problem means that an attacker could compromise a user's system in one of two ways: by tricking a user into using curl/libcurl to request a specially crafted URL or by tricking a user into using an HTTP server to redirect to a malicious TFTP URL.


Gentoo: flash -- buffer overflow
March 21, 2006

Adobe Macromedia's Flash Player contains a critical security hole that could allow an attacker to trick a user into downloading a malicious SWF file, enabling the attacker to execute arbitrary code on the targeted user's system.


Gentoo: sendmail -- programming flaw

March 21, 2006

Mark Down of ISS X-Force reported a bug in Sendmail, the popular Mail Transport Agent (MTA). The package is vulnerable to a race condition when handling asynchronous signals. A remote attacker could exploit the condition in order to gain the privileges of a targeted user.


Gentoo: php -- several vulnerabilities
March 22, 2006

Stefan Esser of the Hardened PHP Project has discovered several vulnerabilities in PHP. The security holes could allow a remote attacker to perform cross-site scripting (XSS) attacks, execute arbitrary code, or inject arbitrary HTTP headers.


Gentoo: nethack, falconseye, slashem -- vulnerability
March 23, 2006

Three popular versions of dungeon exploration games, NetHack, Slash'EM, and Falcon's Eye, are vulnerable to local attack. The security hole means that a local user could exploit the vulnerability to gain local privilege escalation, executing arbitrary code with the permissions of other users. The vulnerability also means that a local attacker could overwrite or create files with the privileges of other users.


Mandriva: xorg-x11 -- vulnerability

March 20, 2006

A security vulnerability in Xorg 6.9.0 could leave the package open to DoS attacks or the execution of arbitrary code with the privileges of the root user. The bug is located in xf86Init.c and it allows non-root users to access the -modulepath, -logfile, and -configure options.


Mandriva: cairo -- denial of service
March 20, 2006

A bug in libcairo, which is used to render messages in Evolution, could be exploited by an attacker to launch a DoS attack. The Mandriva advisory notes that the Corporate Desktop 3.0 version of Evolution is not vulnerable to the bug because it doesn't use libcairo.


Mandriva: sendmail -- programming flaw

March 22, 2006

The popular MTA (Mail Transport Agent) Sendmail is open to remote attack according to Mark Dowd of ISS X-Force, the researcher who found the bug. When handling asynchronous signals, a race condition exists that could allow an attacker to launch arbitrary code with the privileges of the user running Sendmail.


Mandriva: kernel -- multiple vulnerabilities
March 20, 2006

Mandriva released a security update for the Linux 2.6 kernel. The update addresses several vulnerabilities in the kernel including several types of DoS attacks. Mandriva issued updates for Mandriva Linux 2006 and Mandriva Linux 2006/X86_64


Red Hat: sendmail -- programming flaw
March 22, 2006

Red Hat released a critical update for the popular Mail Transport Agent (MTA), Sendmail. Mark Dowd of ISS X-Force located a race condition when Sendmail handles asynchronous signals. The vulnerability could be exploited by a remote attacker in order to launch arbitrary code to gain the permissions of the users running Sendmail.


SUSE: x.org x server -- programming flaw

March 21, 2006

The Coverity Project discovered a programming error in the X.Org X Server. When the server is setuid root, the default in SUSE Linux 10.0, the vulnerability could allow a local attacker to gain root access.


SUSE: flash-player -- remote code execution
March 21, 2006

The Adobe Macromedia Flash Player contains a critical vulnerability. A remote attacker could trick a user into running a specially crafted SWF file that allows the attacker to gain control of the application running Flash Player.


SUSE: sendmail -- programming flaw
March 22, 2006

Mark Dowd of ISS X-Force discovered a bug in Sendmail, a widely used Mail Transport Agent (MTA). When handling asynchronous signals the package is vulnerable to a race condition. The vulnerability could be exploited by an remote attacker to gain the privileges of the user running Sendmail. The problem affects SUSE Linux Enterprise Server 8, which uses Sendmail as the default MTA.


SUSE: realplayer -- buffer, heap-based overflow

March 23, 2006

There are vulnerabilities in RealPlayer that leave the package open to potential exploits. Specially crafted SWF files could be used to exploit a buffer overflow vulnerability to crash the package. Additionally, an attacker could create malicious code to exploit a heap overflow vulnerability to execute arbitrary code. The problem affects both SUSE Linux 9.2 through 10.0 and Novell Linux Desktop 9.


Ubuntu: libcairo2 -- Denial of Service
March 23, 2006

Libcairo2, the Cairo graphics rendering library, fails to check character strings for maximum length. Mike Davis discovered the problem, which could be exploited by a remote attacker sending an email attachment containing very long lines. The exploit could render Evolution vulnerable to a DoS attack.

Category:

  • Security
Click Here!