March 31, 2006 weekly security advisory - March 31, 2006

Author: Kelley Greenman

Debian, Gentoo, Mandriva, Red Hat, SUSE, and Ubuntu released security updates this week. Fedora and FreeBSD did not issue any security advisories this week. Advisories were issued for KOffice,, Flex, bsd-games, libcairo, FreeRADIUS, RealPlayer, and netpbm-free.

Debian released another important kernel upgrade this week. The upgrade addresses several vulnerabilities in kernel-source-2.6.8. These vulnerabilities could leave users' systems open to denial of service attacks. Please note that this week's kernel upgrade is different than last week's which affected the Debian kernel-source-2.4.27. Affected users should be sure to update their systems.

Mandriva and SUSE released updates for an authentication bypass vulnerability in FreeRADIUS EAP-MSCHAPv2. FreeRADIUS is a widely used open source RADIUS server which is based on the authentication, authorization and accounting (AAA) protocol. An important method of authenticating users, a RADIUS server validates the authenticity of data using PAP, CHAP, or EAP authentication schemes.

FreeRADIUS works under local and roaming conditions and, since the server is capable of scaling from embedded systems with small amounts of memory, it is among the top five authentication servers in the world, according to the vendor's home page.

On March 20th, the vendor reported that Steffen Schuster had located a bug in the popular authentication server. According to the original advisory, the bug is the result of a validation problem in the EAP-MSCHAPv2 module. Since the module first appeared in version 1.0.0, the vulnerability affects FreeRADIUS 1.0.0 through FreeRADIUS 1.1.0.

Schuster found the input validation error in the EAP-MSCHAPv2 state machine. To exploit the flaw, an attacker could manipulate the EAP-MSCHAPv2 state machine on a client system. Consequently, an attacker could trick the server into overriding authentication protocols, allowing the attacker to gain network access without valid logon credentials. In some cases, an attacker could not only bypass authentication checks, but do so in order to crash the server and possibly cause a Denial of Service (DoS) attack.

SUSE's advisory notes that the vendor has released updated for the affected distributions, which include SUSE Linux 9, 9.1, 9.2, 9.3, and 10.0. Mandriva has released updates for both affected distributions: Mandrivalinux 2006 and Mandrivalinux 2006/X86_64.

Additionally, for those interested in learning more about the authentication
protocols used by FreeRADIUS Joshua Hill's paper, "An Analysis of the RADIUS Authentication Protocol" is a good place to start.

Debian: kernel-source-2.4.27 -- several vulnerabilities
March 24, 2006

Debian released a kernel update that addresses multiple security vulnerabilities that could lead to both local and remote DoS attacks. Affected distributions are also vulnerable to arbitrary code execution by malicious attackers.

Debian: koffice -- buffer overflow
March 24, 2006

Koffice is affected by several vulnerabilities in Xpdf, a Portable Document Format (PDF) suite. Derek Noonburg has corrected the problem and an update is available for Sarge.

Debian: flex -- vulnerability
March 28, 2006

Flex, a tool for generating text-scanning programs, contains a flaw due to the allocation of insufficient memory discovered by Chris Moore.The vulnerability occurs when "the grammar contains REJECT statements or trailing context rules." The flaw could be exploited by an attacker in order to execute arbitrary code. Debian has issued an update for Sarge.

Debian: netpbm-free -- missing input sanitizing

March 28, 2006

Max Vozeler of the Debian Audit Project found a problem with Pstopmnm, a package which converts PostScript files to PBM, PGM, and PNM formats. An attacker could trick a user into converting a maliciously crafted PostScript file. Consequently, Ghostscript insecurely launches when converting the file, a condition that could lead to the execution of arbitrary shell commands. Debian has issued an update for Sarge.

Gentoo: realplayer -- buffer overflow
March 26, 2006

RealPlayer contains a buffer overflow that is vulnerable to a remote attacker using a maliciously crafted SWF file to execute arbitrary code with the permissions of the user running RealPlayer.

Gentoo: -- heap-based overflow
March 27, 2006

Libcurl, a library used by, is vulnerable to a heap-based overflow when Libcurl attempts to parse an URL that exceeds a 245-byte limit. A remote attacker could trick a user into calling a malicious URL in order to execute arbitrary code with the permissions of the user running

Gentoo: bsd-games -- escalation vulnerability

March 29, 2006

An escalation vulnerability in BSD-games, a collection of NetBSD games for Linux, has been discovered by Tavis Ormandy of the Gentoo Linux Security Audit Team. According to the advisory, "the checkscores() function in scores.c reads in the data from the /var/games/tetris-bsd.scores file without validation." Since Gentoo does not follow the standard setgid games policy, any user in group games could alter the score file. Modifying the score file could execute arbitrary code with the privileges of other players.

Mandriva: freeradius -- vulnerabilities
March 23, 2006

FreeRADIUS is subject to vulnerabilities that could allow a remote attacker to override authentication controls. The problem could also leave FreeRADIUS vulnerable to a DoS attack because there is insufficient input validation when running the EAP-MSCHAPv2 state machine module.

SUSE: freeradius -- vulnerability
March 28, 2006

The authentication server FreeRADIUS contains a DoS vulnerability. A remote attacker could exploit the vulnerability in the EAP-MSCHAPv2 client state machine. By doing so, the attacker could override authentication protocols and crash the server.

Ubuntu: libcairo2 -- Denial of Service

March 23, 2006

There is a vulnerability in libcairo that could be exploited to launch a DoS attack in Evolution. According to Mike Davis, who discovered the problem, the Cairo graphic rendering library fails to check the maximum length of strings when rendering glyphs. Consequently, an attacker could trick a user into opening a maliciously crafted email attachment, which would cause the Evolution server to crash repeatedly.


  • Security
Click Here!