February 10, 2006

Linux.com weekly security update - February 10, 2006

Author: Joe "Zonker" Brockmeier

Advisories were released this week for IPsec Tools, Adzapper, ELOG, and the Linux kernel. Vendors that released advisories are Debian, Gentoo, Fedora, Mandriva, and SUSE. No advisories were issued for Ubuntu this week.

Linux kernel DoS

The Linux kernels 2.6.12 through 2.6.15.2 are vulnerable to a Denial of Service (DoS) attack. The problem lies in the ip_options_echo() function in icmp.c, which fails when the kernel responds to an ICMP packet -- i.e., a ping.

The problem has already been fixed in the 2.6.15.3 kernel with a short patch that only applies to net/ipv4/icmp.c, and should not affect any other functions. The turnaround for the patch was very quick, less than one day, though the vulnerability has been present (if undetected) since the 2.6.12 kernel was released last year.

According to the description of the discovery, this is not an easy to exploit vulnerability. However, users should still upgrade their kernel as soon as a new kernel is available from the vendor.


Debian: gnocatan -- buffer overflow
February 3, 2006

Debian's advisory states:

A problem has been discovered in gnocatan, the computer version of the settlers of Catan boardgame, that can lead the server and other clients to exit via an assert, and hence does not permit the execution of arbitrary code. The game has been renamed into Pioneers after the release of Debian sarge.

Debian: ipsec-tools -- null dereference
February 6, 2006

Debian's advisory states:

The Internet Key Exchange version 1 (IKEv1) implementation in racoon from ipsec-tools, IPsec tools for Linux, try to dereference a NULL pointer under certain conditions which allows a remote attacker to cause a denial of service.

Debian: adzapper -- denial of service
February 9, 2006

Debian's advisory states:

Thomas Reifferscheid discovered that adzapper, a proxy advertisement zapper add-on, when installed as plugin in squid, the Internet object cache, can consume a lot of CPU resources and hence cause a denial of service on the proxy host.

Debian: elog -- several vulnerabilities
February 10, 2006

Debian's advisory states:

Several security problems have been found in elog, an electronic logbook to manage notes.

Fedora: unzip -- long file name buffer overflow
February 6, 2006

Fixes CVE-2005-4667 - unzip long file name buffer overflow.


Fedora: kernel -- denial of service
February 7, 2006

Fedora's advisory states:

This update fixes a remotely exploitable denial of service attack in the icmp networking code (CVE-2006-0454). An information leak has also been fixed (CVE-2006-0095), and some debugging patches that had accidentally been left applied in the previous update have been removed, restoring the functionality of the 'quiet' argument.

Gentoo: GStreamer FFmpeg plugin -- heap-based buffer overflow
February 5, 2006

Gentoo's advisory states:

The GStreamer FFmpeg plugin is vulnerable to a buffer overflow that may be exploited by attackers to execute arbitrary code.

Gentoo: PostgresSQL -- command injection
February 6, 2006

Gentoo's advisory states:

ADOdb is vulnerable to SQL injections if used in conjunction with a PostgreSQL database.

Gentoo: Apache -- multiple advisories
February 6, 2006

Gentoo's advisory states:

Apache can be exploited for cross-site scripting attacks and is vulnerable to a Denial of Service attack.

Mandriva: Updated openssh packages fix vulnerability
February 6, 2006

Mandriva's advisory states:

A flaw was discovered in the scp local-to-local copy implementation where filenames that contain shell metacharacters or spaces are expanded twice, which could lead to the execution of arbitrary commands if a local user could be tricked into a scp'ing a specially crafted filename. The provided updates bump the OpenSSH version to the latest release version of 4.3p1. A number of differences exist, primarily dealing with PAM authentication over the version included in Corporate 3.0 and MNF2. In particular, the default sshd_config now only accepts protocol 2 connections and UsePAM is now disabled by default. On systems using alternate authentication methods (ie. LDAP) that use the PAM stack for authentication, you will need to enable UsePAM. Note that the default /etc/pam.d/sshd file has also been modified to use the pam_listfile.so module which will deny access to any users listed in /etc/ssh/denyusers (by default, this is only the root user). This is required to preserve the expected behaviour when using "PermitRootLogin without-password"; otherwise it would still be possible to obtain a login prompt and login without using keys. Mandriva Linux 10.1 and newer already have these changes in their shipped versions. There are new features in OpenSSH and users are encouraged to review the new sshd_config and ssh_config files when upgrading.

Mandriva: Updated mozilla-firefox packages to address DoS vulnerability
February 7, 2006

Mandriva's advisory states:

Mozilla and Mozilla Firefox allow remote attackers to cause a denial of service (CPU consumption and delayed application startup) via a web site with a large title, which is recorded in history.dat but not processed efficiently during startup. (CVE-2005-4134) The Javascript interpreter (jsinterp.c) in Mozilla and Firefox before 1.5.1 does not properly dereference objects, which allows remote attackers to cause a denial of service (crash) or execute arbitrary code via unknown attack vectors related to garbage collection. (CVE-2006-0292) The XULDocument.persist function in Mozilla, Firefox before 1.5.0.1, and SeaMonkey before 1.0 does not validate the attribute name, which allows remote attackers to execute arbitrary Javascript by injecting RDF data into the user's localstore.rdf file. (CVE-2006-0296) Updated packages are patched to address these issues.

Mandriva: Updated groff packages fix temporary file vulnerabilities
February 8, 2006

Mandriva's advisory states:

The Trustix Secure Linux team discovered a vulnerability in the groffer utility, part of the groff package. It created a temporary directory in an insecure way which allowed for the exploitation of a race condition to create or overwrite files the privileges of the user invoking groffer. Likewise, similar temporary file issues were fixed in the pic2graph and eqn2graph programs which now use mktemp to create temporary files, as discovered by Javier Fernandez-Sanguino Pena. The updated packages have been patched to correct this issue.

SUSE: kernel remote denial of service
February 9, 2006

SUSE's advisory states:

The Linux kernel on SUSE Linux 10.0 has been updated to fix following security problems: - CVE-2006-0454: An extra dst release when ip_options_echo failed was fixed. (

Category:

  • Linux
Click Here!