Author: Kelley Greenman
GnuPG false positive vulnerability fixed
Debian, Fedora, Gentoo, Mandriva, SUSE, and Ubuntu issued updates to address a vulnerability in GNU Privacy Guard (GnuPG) discovered by Tavis Ormandy of the Gentoo Project. GnuPG is a free replacement for PGP. When using current versions of GnuPG, Ormandy found that GnuPG returned false positives on unattended signature verifications in scripts and mail programs. The process yielded successful exit code even if the file did not contain a signature.
The correct method for checking results is to examine the status message. However, security advisories warned that third party applications may not adhere to the recommendation, checking only the exit code when determining the validity of a detached signature. Consequently, it’s possible to trick an application into reporting successful results, a problem that is found in the gpgv signature verification tool, or when using gpg --verify to imitate gpgv.
According to Werner Koch of GNU Privacy Guard, there is no problem when “the –status-fd generated output is used to decide whether a signature is valid.” Thus, Koch concluded, applications that use “the GPGME library[2] are not affected.”
GnuPG users should upgrade to GnuPG 1.4.2.1 as soon as possible.
Debian: gnupg –programming error
February 17, 2006
According to an advisory from Debian, Tavis Ormandy discovered that GnuPG (the GNU privacy guard) would verify an external signature file even if the files do not contain a signature. The problem has been fixed in the old stable distribution (woody) version 1.0.6-4woody4 and in the stable distribution (sarge) version 1.4.1-1sarge1. They are still working on an upgrade for the the
unstable distribution (sid).
Debian: pdfkit.framework — several vulnerabilities
February 17, 2006
Several potential vulnerabilities were fixed by Debian’s Derek Noonburg this week. Affected Debian packages were xpdf, the Portable Document Format (PDF) suite, and pdfkit.framework, which is the GNUstep framework for rendering PDF content. Debian’s advisory notes that the update is only available for the stable distribution (sarge) version 0.8-2sarge3.
Debian: tutos — several vulnerabilities
February 22, 2006
Joxean Koret located an SQL injection vulnerability and Cross-Site-Scripting vulnerabilities in TUTOS, a web-based team organization software. The problem, according to the Debian advisory, is in the stable distribution (sarge) version 1.1.20031017-2+1sarge1. Neither the old stable distribution (woody) nor the unstable distribution (sid) contain TUTOS packages.
Fedora: gnupg — vulnerability
February 17, 2006
Fedora’s security advisory announces a fix for GnuPG. A security hole in version 1.4.2 of GnuPG allowed successful verification of signature files even if the signature was missing.
Gentoo: gpdf — heap overflow
February 12, 2006
A heap overflow vulnerability in the Xpdf codebase was discovered by Dirk Mueller, according to Gentoo’s security advisory. When Xpdf handles PDF splash images larger than the associated bitmap it can execute arbitrary code when a PDF is opened with GPdf.
Mandriva: libtiff — buffer overflow
February 17, 2006
According to this week’s Mandriva
security advisory, a remote attacker could exploit a buffer overflow vulnerability. By introducing a TIFF file containing a malformed BitsPerSample tag, the attacker could execute arbitrary code.
Mandriva: gnupg — signature verification weakness
February 17, 2006
Mandriva released an update addressing the flaw in GnuPG discovered by Tavis Ormandy. The flaw returns a successful verification code even when the file is missing a valid signature file.
Mandriva: tar — buffer overflow
February 21, 2006
According to the advisory, GNU tar versions 1.14 and above have a buffer overflow vulnerability and some other issues including: Specially crafted invalid headers can trigger a buffer overflow.
Mandriva: metamail — buffer overflow
February 22, 2006
Metamail is vulnerable to a buffer overflow discovered by Ulf Harnhammar. When parsing a specially crafted message, this week’s Mandriva advisory warned, metamail could launch arbitrary code with the privileges of the user running metamail.
SUSE: gpg, liby2util — remote code execution
February 20, 2006
The latest SUSE advisory warns that the GPG vulnerability “could make automated checkers, like for instance the patch file verification checker of the YaST Online Update, pass malicious patch files as correct.”
SUSE: CASA — buffer overflow
February 22, 2006
A SUSE advisory warned that machines with CASA installed have a stack buffer overflow vulnerability in the pam_micasa authentication module. The security hole could allow a remote attacker to gain root access.
Ubuntu: gnupg — vulnerability
February 17, 2006
Ubuntu’s advisory warns of a potential vulnerability in GnuPG, the GNU Privacy Guard. gpg and gpg report valid signature files even if they contain no signature. The Ubuntu package signature checks is not affected by this vulnerability.
Ubuntu: heimdal — denial of service vulnerability
February 17, 2006
The Heimdal implementation of the telnet daemon is vulnerable to a remote Denial of Service attack. According to the Ubuntu security advisory, a “remote attacker could force the server to crash due to a NULL de-reference before the user logged in, resulting in inetd turning telnetd off because it forked too fast.” While Ubuntu doesn’t support the Heimdal-servers package, it does support the heimdal source package.
Ubuntu: noweb — insecure script handling
February 21, 2006
A vulnerability in the way noweb scripts create temporary files was discovered by Javier Fernández-Sanguino Peña. Ubuntu’s advisory warned that noweb is vulnerable to a symlink attack that could either create or overwrite arbitrary files with user privileges.
Ubuntu: openssh — shell code injection flaw
February 21, 2006
Ubuntu announced a shell code injection flaw in scp which was discovered by Tomas Mraz. The flaw could be exploited by an attacker to execute arbitrary shell commands when a user is tricked into using scp on a maliciously crafted file name.
Ubuntu: bluez-hcidump — denial of service
February 21, 2006
According to Pierre Betouin, a remote attacker could crash hcidump with a specially crafted L2CAP (Logical Link Control and Adaptation Layer Protocol) packet sent through a wireless Bluetooth connection. Ubuntu’s advisory noted that it is a low-level threat since hcidump is a debugging tool.
Ubuntu: tar — arbitrary code execution
February 23, 2006
A vulnerability in GNU tar, discovered by Jim Meyering, can be exploited using a specially crafted tar archive according to the advisory from Ubuntu. When a user is tricked into handling a specially crafted tar archive, arbitrary code can be executed with the privileges of that user.
Category:
- Security
