Author: JT Smith
Author: JT Smith
______________________________________________________________________________
SuSE Security Announcement
Package: wuftpd
Announcement-ID: SuSE-SA:2001:043
Date: Wednesday, Nov. 28th, 2001 23:45 MET
Affected SuSE versions: 6.3, 6.4, 7.0, 7.1, 7.2, 7.3
Vulnerability Type: remote root compromise
Severity (1-10): 7
SuSE default package: no
Other affected systems: all liunx-like systems using wu-ftpd 2.4.x /
2.6.0 / 2.6.1
Content of this advisory:
1) security vulnerability resolved: wuftpd
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The wuftpd package as shipped with SuSE Linux distributions comes with
two versions of wuftpd: wuftpd-2.4.2, installed as /usr/sbin/wuftpd,
and wuftpd-2.6.0, installed as /usr/sbin/wuftpd-2.6.
The admin decides which version to use by the inetd/xinetd
configuration.
The CORE ST Team had found an exploitable bug in all versions of wuftpd's
ftpglob() function.
The glob function overwrites buffer bounds while matching open and closed
brackets. Due to a missing � at the end of the buffer a later call to a
function that frees allocated memory will feed free(3) with userdefined
data. This bug could be exploited depending on the implementation of
the dynmaic allocateable memory API (malloc(3), free(3)) in the libc
library. Linux and other system are exploitable!
Some weeks ago, an internal source code audit of wu-ftpd 2.6.0 performed
by Thomas Biege, SuSE Security, revealed some other security related bugs
that are fixed in the new RPM packages. Additionally, code from wu-ftpd
2.6.1 were backported to version 2.6.0 to make it more stable.
A temporary fix other than using a different server implementation of
the ftp protocol is not available. We recommend to update the wuftpd
package on your system.
We thank the wuftpd team for their work on the bug, particularly because
the coordination between the vendors and the wuftpd developers lacked
the necessary discipline for the timely release of the information
about the problem.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Uhv file.rpm" to apply
the update.
i386 Intel Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/n2/wuftpd-2.6.0-344.i386.rpm
d1b549b8c2d91d66a8b35fe17a1943b3
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/wuftpd-2.6.0-344.src.rpm
9ef0e6ac850499dc0150939c62bc146f
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/n2/wuftpd-2.6.0-344.i386.rpm
4583443a993107b26529331fb1e6254d
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/wuftpd-2.6.0-344.src.rpm
aaee0343670feae70ccc9217a8e22211
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/wuftpd-2.6.0-346.i386.rpm
347a030a85cb5fcbe32d3d79d382e19e
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/wuftpd-2.6.0-346.src.rpm
aa3e53641f6ce0263196e6f1cb0447c3
SuSE-7.0
ftp://ftp.suse.com/pub/suse/i386/update/7.0/n1/wuftpd-2.6.0-344.i386.rpm
e34eec18ecc10f187f6aa1aa3b24b75b
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/wuftpd-2.6.0-344.src.rpm
fafc8c2bbd68dd5ca3d04228433c359a
SuSE-6.4
ftp://ftp.suse.com/pub/suse/i386/update/6.4/n1/wuftpd-2.6.0-344.i386.rpm
2354abe95b056762c7f6584449291ff2
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/wuftpd-2.6.0-344.src.rpm
507b8d484b13737c9d2b6a68fda0cc26
SuSE-6.3
ftp://ftp.suse.com/pub/suse/i386/update/6.3/n1/wuftpd-2.6.0-347.i386.rpm
9851ad02e656bba8b5e02ed2ddb46845
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/wuftpd-2.6.0-347.src.rpm
5d7c4b6824836ca28b228cc5dcfc4fd6
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n2/wuftpd-2.6.0-240.sparc.rpm
2d19e4ead17396a1e28fca8745f9629d
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/wuftpd-2.6.0-240.src.rpm
bdb0b5ddd72f8563db3c8e444a0df7f5
SuSE-7.1
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/n2/wuftpd-2.6.0-242.sparc.rpm
f6b04f284bece6bf3700facccc015ffe
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/wuftpd-2.6.0-242.src.rpm
1660547ac9a5a3b32a4070d69803cf18
SuSE-7.0
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/n1/wuftpd-2.6.0-241.sparc.rpm
1bd905b095b9a4bb354fc190b6e54a01
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/wuftpd-2.6.0-241.src.rpm
597263eb7d0fbbf242d519d3c126a441
AXP Alpha Platform:
SuSE-7.1
ftp://ftp.suse.com/pub/suse/axp/update/7.1/n2/wuftpd-2.6.0-252.alpha.rpm
e608bfd2cc9e511c6eb6932c33c68789
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/wuftpd-2.6.0-252.src.rpm
34915af1ca79b27bad8bc2fd3a5cab05
SuSE-7.0
ftp://ftp.suse.com/pub/suse/axp/update/7.0/n1/wuftpd-2.6.0-251.alpha.rpm
86a7d8f60d76a053873bcc13860b0bbb
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/wuftpd-2.6.0-251.src.rpm
9674f9f1630b3107ac22d275705da76e
SuSE-6.4
ftp://ftp.suse.com/pub/suse/axp/update/6.4/n1/wuftpd-2.6.0-251.alpha.rpm
2501444a1e4241e8f6f4cdcc6fd133b0
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/wuftpd-2.6.0-251.src.rpm
34812d943900bdb902ad7edd40e1943f
SuSE-6.3
ftp://ftp.suse.com/pub/suse/axp/update/6.3/n1/wuftpd-2.6.0-250.alpha.rpm
429a49ef9d4d0865fbb443c212b8a8c7
source rpm:
ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/wuftpd-2.6.0-250.src.rpm
76467dae0f460677ba80ec907eefca28
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n2/wuftpd-2.6.0-277.ppc.rpm
a381269b3e2fc43fda59e4d08aef57ae
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/wuftpd-2.6.0-277.src.rpm
7cacb696a88e57a843402a796212aee6
SuSE-7.1
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/n2/wuftpd-2.6.0-277.ppc.rpm
bfc39be2c09323d96f974fdd0c73fda1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/wuftpd-2.6.0-277.src.rpm
e2681b2ed4801ce14b5dfb926480ac51
SuSE-7.0
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/n1/wuftpd-2.6.0-279.ppc.rpm
19f989e637fd9b6fa652f8a4014bb7b1
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/wuftpd-2.6.0-279.src.rpm
76c493a915691c51a2481f0925e8ce39
SuSE-6.4
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/n1/wuftpd-2.6.0-278.ppc.rpm
ad29cf172bbd03a5e1f301cf6b9404e5
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/wuftpd-2.6.0-278.src.rpm
82338702692eba599d8c3d242aff3d1a
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ssh/openssh exploits
The wrong fix for the crc32-compensation attack is currently actively
exploited in the internet for both the ssh and the openssh
implementation of the ssh-1 protocol.
We urge our users to upgrade their ssh or openssh packages to the
latest versions that are located on our ftp server at the usual
directories, referred to via
http://www.suse.de/de/support/security/adv004_ssh.txt from February
earlier this year.
Please note, the packages for the SuSE Linux distributions 7.0 and
older containing cryptographic code are located on the German ftp
server ftp.suse.de, the distributions 7.1 and newer have their crypto
updates on ftp.suse.com. There are legal constraints beyond our
control that lead to this situation.
Openssh packages of the version 2.9.9p2 ready to download on the ftp
server ftp.suse.com. They fix the security problems mentioned above,
along with a set of less serious security problems.
The announcement is still pending while investigations about the
status of the package are in progress.
- libgtop_daemon
The libgtop_daemon, part of the libgtop package for gathering and
monitoring process and system information, has been found vulnerable
to a format string error. We are in the process of providing fixes for
the affected distributions 6.4-7.3. In the meanwhile, we recommend to
disable the libgtop_daemon on systems where it is running. This daemon
is neither installed nor started (if installed) by default on SuSE
Systems.
- kernel updates
A bug in the elf loader of the linux kernels version 2.4 from our
announcement SSA:2001:036 can cause a system to crash if a user
executes a vmlinux kernel image. We are preparing another update
series to workaround this problem and will re-issue the kernel
announcement as soon as possible.
______________________________________________________________________________
3) standard appendix:
SuSE runs two security mailing lists to which any interested party may
subscribe:
suse-security@suse.com
- general/linux/SuSE security discussion.
All SuSE security announcements are sent to this list.
To subscribe, send an email to
suse-security-subscribe@suse.com>.
suse-security-announce@suse.com
- SuSE's announce-only mailing list.
Only SuSE's security annoucements are sent to this list.
To subscribe, send an email to
suse-security-announce-subscribe@suse.com>.
For general information or the frequently asked questions (faq)
send mail to:
suse-security-info@suse.com> or
suse-security-faq@suse.com> respectively.
===============================================
SuSE's security contact is security@suse.com>.
===============================================
______________________________________________________________________________
The information in this advisory may be distributed or reproduced,
provided that the advisory is not modified in any way.
SuSE GmbH makes no warranties of any kind whatsoever with respect
to the information contained in this security advisory.
Category:
Author: JT Smith
______________________________________________________________________________
Caldera International, Inc. Security Advisory
Subject: Linux - Vulnerability in wu-ftpd
Advisory number: CSSA-2001-041.0
Issue date: 2001, November 28
Cross reference:
______________________________________________________________________________
1. Problem Description
The CoreST team has discovered a vulnerability in wu-ftpd that can be
exploited to obtain root access to the FTP server.
We recommend that customers immediately upgrade to the fixed
version. If you do not need FTP service, remove the package.
2. Vulnerable Versions
System Package
-----------------------------------------------------------
OpenLinux 2.3 All packages previous to
wu-ftpd-2.6.1-13OL
OpenLinux eServer 2.3.1 All packages previous to
and OpenLinux eBuilder wu-ftpd-2.6.1-13OL
OpenLinux eDesktop 2.4 All packages previous to
wu-ftpd-2.6.1-13OL
OpenLinux Server 3.1 All packages previous to
wu-ftpd-2.6.1-13
OpenLinux Workstation 3.1 not vulnerable
3. Solution
Workaround
If you do not need wu-ftpd isntalled, remove it by running
the following command as root:
rpm -e wu-ftpd
The proper solution is to upgrade to the latest packages.
4. OpenLinux 2.3
4.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/2.3/current/SRPMS
4.2 Verification
d6a618f9fe6a3ae99a1c54a405ab169a RPMS/wu-ftpd-2.6.1-13OL.i386.rpm
64ee3731783c12da3a5c164acb3ed239 SRPMS/wu-ftpd-2.6.1-13OL.src.rpm
4.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh wu-ftpd-2.6.1-13OL.i386.rpm
5. OpenLinux eServer 2.3.1 and OpenLinux eBuilder for ECential 3.0
5.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eServer/2.3/current/SRPMS
5.2 Verification
a9396078593fc3e4445d3d691df484be RPMS/wu-ftpd-2.6.1-13OL.i386.rpm
64ee3731783c12da3a5c164acb3ed239 SRPMS/wu-ftpd-2.6.1-13OL.src.rpm
5.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh wu-ftpd-2.6.1-13OL.i386.rpm
6. OpenLinux eDesktop 2.4
6.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/eDesktop/2.4/current/SRPMS
6.2 Verification
3edfa831ea0d3cc94f3b7a1e1bd49723 RPMS/wu-ftpd-2.6.1-13OL.i386.rpm
64ee3731783c12da3a5c164acb3ed239 SRPMS/wu-ftpd-2.6.1-13OL.src.rpm
6.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh wu-ftpd-2.6.1-13OL.i386.rpm
7. OpenLinux 3.1 Server
7.1 Location of Fixed Packages
The upgrade packages can be found on Caldera's FTP site at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
The corresponding source code package can be found at:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/SRPMS
7.2 Verification
13e54795ceba03b48c7ac4a9c7616d70 RPMS/wu-ftpd-2.6.1-13.i386.rpm
a14359f0a93b7e82d20df2c000a81b9a SRPMS/wu-ftpd-2.6.1-13.src.rpm
7.3 Installing Fixed Packages
Upgrade the affected packages with the following commands:
rpm -Fvh wu-ftpd-2.6.1-13.i386.rpm
8. OpenLinux 3.1 Workstation
not vulnerable
9. References
This and other Caldera security resources are located at:
http://www.caldera.com/support/security/index.html
This security fix closes Caldera's internal Problem Report 11023.
10. Disclaimer
Caldera International, Inc. is not responsible for the misuse of
any of the information we provide on this website and/or through our
security advisories. Our advisories are a service to our customers
intended to promote secure installation and use of Caldera OpenLinux.
11. Acknowledgements
Caldera wishes to thank Core ST and Ivan Arce for their efforts to
coordinate the publication of this vulnerability with all affected
vendors.
______________________________________________________________________________
Category:
Author: JT Smith
Category:
Author: JT Smith
Author: JT Smith
Author: JT Smith
I was recently bemused to see some people praising to high-
heaven the upcoming arrival of Lindows, which promises to enable Linux users to run Microsoft’s Windows. It’s funny because 1.) other than a catchy name, Lindows is
vaporware and 2.) we’ve already have had MS Windows running
on Linux, and before that Unix, for years.
There are already several Windows and Linux (WAL) programs out there. The three most popular are
VMWare’s VMWare 3.0 Workstation 3.0; NeTraverse’s Win4Lin 3.0; and WINE. They all take very different approaches to
bringing Windows to Linux users and each works best for different users.
VMWare
VMWare, for example, is not a Windows emulator at all. It’s not a Linux product either. Instead, it’s a
platform for running multiple operating systems concurrently.
VMWare likes to call each instance of an operating system
running a “VMWare world,” but most people call them virtual
machines (VM). It has more in common with IBM’s
Multiple Virtual Storage (MVS) operating system for
mainframes than it does with Unix.
The key word in VMWare is that it runs operating systems
“concurrently.” You’re not running Windows on top of
Linux; you’re running Windows and Linux at the same time on
the same machine with VMWare playing system resource
referee.
The good news is that you get essentially the full functionality
of, say, XP Professional with SuSE 7.3 or your choice of many
Intel-based Linux distributions. The bad news is there’s a price to
pay for VMs, and that is performance.
For example, if all you really want Windows for is to play
games, VMWare will let you run almost any game. But, the
same game will run much better on the same hardware if you
run pure Windows on the machine. The same is
also true of office software.
So who should run VMWare? Developers will love it. Will that
code run on Caldera Linux and Red Hat Linux? With VMWare,
it’s a snap. It’s also helpful to trainers, help desk workers or
system administrators–anyone who really needs to switch
operating systems in a hurry.
Win4Lin
Like VMWare, Win4Lin requires a real copy of Windows (95 or
98 only) before you can run Windows. The key technical
difference between the pair is that Win4Lin runs Windows, and
any of its applications, on a virtual hardware platform. When
Windows calls for a file under VMWare, for example, it uses its native file system — either FAT-32 or NTFS.
Under Win4Lin, Windows will use your Linux file
system.
Win4Lin does this by running an entire set of servers and
drivers that create a virtual PC. From the Windows perspective,
it has an entire PC to itself. It’s actually running on top of the
Win4Lin VM and its underlying Linux system.
The win for Windows users is that Win4Lin uses far fewer system
resources than VMWare. This, combined with the use of native
Linux file systems and network stacks, makes Win4Lin
Windows very responsive. Unlike some stories you may
have heard, this doesn’t make Win4Lin Windows as fast as
native Windows on the same hardware, but it does make Windows
fast enough to use enjoyable on a system with as little as
128MB of RAM and a Pentium 350MHz processor. Only
someone with great patience would want to run VMWare on
this level of hardware.
On the other hand, because Win4Lin presents a virtual PC to the
operating system, you’re limited to the VM’s emulated
resources instead of the hardware’s real resources. For example,
you can’t use USB or FireWire devices because the virtual PC
only supports serial and parallel ports. You also can’t use
advanced writeable devices such as CD-R and CD-RWs.
There are also a few other quirks. For example, DirectX, used by
many games for better graphics performance, isn’t supported.
Some modern games, such as Diablo II, will run under
Win4Lin, but don’t expect full functionality. In my own case,
I’ve been unable to find any way to run Diablo II in its
multiplayer Battlenet mode.
Still, if all you really want to do is to run today’s bread-and-
butter Windows home and office software, Win4Lin is hard to
beat. Because Win4Lin is limited to Windows 95 and 98 and
Microsoft is intent on moving users and applications to XP as
fast as possible, Win4Lin will need to play catch-up in the
future to insure that the next generation of Windows software
will run on it. When all you want is for you or your office to use
office applications, like Microsoft Office, Intuit Quicken, Lotus
SmartSuite and Notes, and the like while keeping the power
and stability of Linux, Win4Lin is your best choice. In short,
Win4Lin is the Windows on Linux for most office and home users.
WINE
WINE doesn’t hold with running VMs on
hardware (VMWare) or the operating system (Win4Lin).
Instead, WINE creates a set of programs that emulate Windows
3.x and Win32 APIs in Unix.
WINE is a series of Unix programs that, from a Windows
application’s viewpoint, look and act just like the original
Windows dynamic link libraries (DLL)s. And yes, that includes
faithful reverse engineering of Windows bugs as well.
The result is a pure Unix/Linux environment where you can run
many Windows programs with varying degrees of success.
Despite years of effort, because WINE must perpetually chase
Microsoft’s constant changes to its Windows APIs and DLLs,
how well a given Windows application will run with WINE is a hit-or-miss affair. The WINE people come right
out and tell you that after seven years of work, WINE is still a
developers’ only release. They’re right.
You can use WINE today. Just be ready,
even with well-supported applications like Office 97, to do
some tweaking with the installation before you’re running
Microsoft Word in a KDE window.
You can sneak around the problems still lurking in WINE by
having it use Windows native files and DLLs in a Windows
partition. But let’s get real: if you’re doing that, you might as
well be running VMWare or Lin4Win instead.
Will the application you want run on WINE? Check
CodeWeaver’s WINE application database. Don’t assume, though, that because a program is listed it will run.
Why would you want to use WINE? There are some
technical reasons. For instance, unlike Win4Lin, WINE does
have some DirectX support and has more complete device
support. Practically speaking, WINE’s most popular application
is the popular first person shooter, Half-Life. Other games are
also best-selling WINE programs.
The real reason to use WINE is if there is a
supported Windows application that you absolutely must use,
and you don’t want to spend a single solitary dime on a
Microsoft operating system license. WINE is limited Windows
support for people who hate Windows.
Still interested? I highly recommend using CodeWeaver’s WINE implementation. That version, available as an RPM, is the most polished one
now available.
Is Win on Lin a Win?
It’s bottom-line time. If you’re a developer or anyone else who
needs fully functioning Microsoft and Linux operating systems
on one machine at your beck and call, VMWare is for you. If
you just want support for most basic home and office
applications, Lin4Win really should be your program of choice.
And, if you can’t stand Microsoft, but you really want that one
Windows application or game on your GNOME desktop and
you’re comfortable with HOWTO files, you should have some
WINE.
Lindows? Sorry, it’s hard to do
anything with vapor. Technical details have been sketchy, but
essentially Lindows will build on top of WINE. While
WINE has not been the best-supported Open Source project
over the years, I find it hard to believe that even with CEO
Michael Robertson’s millions and a dedicated staff of 20, that
Lindows will be able to significantly improve on WINE’s
current compatibility level anytime in the near future.
One point all these efforts miss is that
resources spent on bringing Windows and its applications to
Linux are time, expertise and money that could be spent in bringing
better Linux applications to Linux. I can understand
the short-term desire to run Windows applications on Linux. I
do it myself with both Win4Lin and VMWare. But, in the long
run, chasing Microsoft is probably a losing game for the Linux
desktop. 100% Windows running on its own
dedicated hardware will always do the best job of running 100%
Windows applications.
Category:
Author: JT Smith
Author: JT Smith
Read the full review at www.linuxlookup.com.
Category:
Author: JT Smith