[ISN] Linux Advisory Watch - November 19th 2004

InfoSec News isn at c4i.org
Mon Nov 22 07:10:17 EST 2004

|  LinuxSecurity.com                             Weekly Newsletter    |
|  November 19th, 2004                          Volume 5, Number 46a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each

This week, advisories were released for libxml2, MySQL, imagemagick,
Apache, fetch, Ruby, BNC, Squirrelmail, gd, sudo, totem, drakxtools,
httpd, freeradius, libxml2, and iptables.  The distributors include
Conectiva, Debian, Fedora, FreeBSD, Gentoo, Mandrake, Red Hat, Suse, and

----- LinuxSecurity.com Version 2 -----

Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!



Root Security

The most sought-after account on your machine is the superuser account.
This account has authority over the entire machine, which may also include
authority over other machines on the network. Remember that you should
only use the root account for very short specific tasks and should mostly
run as a normal user. Running as root all the time is a very very very bad

Several tricks to avoid messing up your own box as root:

* When doing some complex command, try running it first in a non
destructive way...especially commands that use globbing: e.g., you are
going to do a rm foo*.bak, instead, first do: ls foo*.bak and make sure
you are going to delete the files you think you are. Using echo in place
of destructive commands also sometimes works.

* Provide your users with a default alias to the /bin/rm command to ask
for confirmation for deletion of files.

* Only become root to do single specific tasks. If you find yourself
trying to figure out how to do something, go back to a normal user shell
until you are sure what needs to be done by root.

* The command path for the root user is very important.  The command path,
or the PATH environment variable, defines the location the shell searches
for programs.  Try and limit the command path for the root user as much as
possible, and never use '.', meaning 'the current directory', in your PATH
statement.  Additionally, never have writable directories in your search
path, as this can allow attackers to modify or place new binaries in your
search path, allowing them to run as root the next time you run that

* Never use the rlogin/rsh/rexec (called the ``r-utilities'') suite of
tools as root. They are subject to many sorts of attacks, and are
downright dangerous run as root. Never create a .rhosts file for root.

* The /etc/securetty file contains a list of terminals that root can login
from. By default (on Red Hat Linux) this is set to only the local virtual
consoles (vtys). Be very careful of adding anything else to this file. You
should be able to login remotely as your regular user account and then use
su if you need to (hopefully over ssh or other encrypted channel), so
there is no need to be able to login directly as root.

* Always be slow and deliberate running as root. Your actions could affect
a lot of things. Think before you type!

If you absolutely positively need to allow someone (hopefully very
trusted) to have superuser access to your machine, there are a few tools
that can help. sudo allows users to use their password to access a limited
set of commands as root. sudo keeps a log of all successful and
unsuccessful sudo attempts, allowing you to track down who used what
command to do what. For this reason sudo works well even in places where a
number of people have root access, but use sudo so you can keep track of
changes made.

Although sudo can be used to give specific users specific privileges for
specific tasks, it does have several shortcomings. It should be used only
for a limited set of tasks, like restarting a server, or adding new users.
Any program that offers a shell escape will give the user root access.
This includes most editors, for example.  Also, a program as innocuous as
/bin/cat can be used to overwrite files, which could allow root to be
exploited. Consider sudo as a means for accountability, and don't expect
it to replace the root user yet be secure.

Excerpt from the LinuxSecurity Administrator's Guide:

Written by: Dave Wreski (dave at guardiandigital.com)


Mass deploying Osiris

Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system.  A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people.  The communication is all done over an encrypted
communication channel.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Conectiva        | ----------------------------//

 11/18/2004 - libxml2
   buffer overflow vulnerabilities fix

   This update fixes a buffer overflow vulnerability[2,3] in the URI
   parsing code found by "infamous41md" at the nanoftp and nanohttp
   modules of libxml2. An attacker may exploit this vulnerability to
   execute arbitrary code with the privileges of the user running an
   affected application.

 11/18/2004 - MySQL
   vulnerabilities fix

   Oleksandr Byelkin noticed[2] that ALTER TABLE ... RENAME checks
   CREATE/INSERT rights of the old table instead of the new one.
   Lukasz Wojtow noticed[3] a buffer overrun in the
   mysql_real_connect() function.

|  Distribution: Debian           | ----------------------------//

 11/12/2004 - ez-ipupdate format string vulnerability fix
   vulnerabilities fix

   Ulf Hrnhammar from the Debian Security Audit Project discovered a
   format string vulnerability in ez-ipupdate, a client for many
   dynamic DNS services. This problem can only be exploited if
   ez-ipupdate is running in daemon mode (most likely) with many but
   not all service types.

 11/16/2004 - imagemagick
   arbitrary code execution fix

   A vulnerability has been reported for ImageMagick, a commonly used
   image manipulation library.  Due to a boundary error within the
   EXIF parsing routine, a specially crafted graphic images could
   lead to the execution of arbitrary code.

 11/17/2004 - Apache
   arbitrary code execution fix

   "Crazy Einstein" has discovered a vulnerability in the
   "mod_include" module, which can cause a buffer to be overflown and
   could lead to the execution of arbitrary code.

|  Distribution: Fedora           | ----------------------------//

 11/12/2004 - httpd-2.0.51-2.9 update
   arbitrary code execution fix

   This update includes the fixes for an issue in mod_ssl which could
   lead to a bypass of an SSLCipherSuite setting in directory or
   location context (CVE CAN-2004-0885), and a memory consumption
   denial of service issue in the handling of request header lines
   (CVE CAN-2004-0942).

 11/12/2004 - httpd-2.0.52-3.1 update
   arbitrary code execution fix

   This update includes the fix for a memory consumption denial of
   service issue in the handling of request header lines (CVE

 11/12/2004 - subversion-1.0.9-1 update
   arbitrary code execution fix

   This update includes the latest release of Subversion 1.0,
   including the fix for a regression in the performance of
   repository browsing since version 1.0.8.

 11/12/2004 - subversion-1.1.1-1.1 update
   arbitrary code execution fix

   This update includes the latest release of Subversion 1.1,
   including the fix for a regression in the performance of
   repository browsing since version 1.1.0 and a variety of other bug

 11/12/2004 - gdb-6.1post-1.20040607.43 update
   arbitrary code execution fix

   #136455 workaround to prevent gdb from failing and getting stuck
   when hitting certain DWARF-2 symbols.

 11/16/2004 - abiword-2.0.12-4.fc3 update
   arbitrary code execution fix

   Backport fix to stop #rh139201# crash on CTRL-A and making font

 11/16/2004 - authd-1.4.3-1 update
   arbitrary code execution fix

   fix double-free prob detected on x86_64 glibc (#136392)

 11/16/2004 - gaim-1.0.3-0.FC3 update
   arbitrary code execution fix

   1.0.3 another bugfix release

 11/17/2004 - xorg-x11-6.7.0-10 update
   arbitrary code execution fix

   Several integer overflow flaws in the X.Org libXpm library used to
   decode XPM (X PixMap) images have been found and addressed. An
   attacker could create a carefully crafted XPM file which would
   cause an application to crash or potentially execute arbitrary
   code if opened by a victim.

 11/17/2004 - xorg-x11-6.8.1-12.FC3.1 update
   arbitrary code execution fix

   Several integer overflow flaws in the X.Org libXpm library used to
   decode XPM (X PixMap) images have been found and addressed. An
   attacker could create a carefully crafted XPM file which would
   cause an application to crash or potentially execute arbitrary
   code if opened by a victim.

|  Distribution: FreeBSD          | ----------------------------//

 11/18/2004 - fetch
   Overflow error

   An integer overflow condition in the processing of HTTP headers
   can result in a buffer overflow.

|  Distribution: Gentoo           | ----------------------------//

 11/16/2004 - Ruby
   Denial of Service issue

   The CGI module in Ruby can be sent into an infinite loop,
   resulting in a Denial of Service condition.

 11/16/2004 - BNC
   Buffer overflow vulnerability

   BNC contains a buffer overflow vulnerability that may lead to
   Denial of Service and execution of arbitrary code.

 11/17/2004 - Squirrelmail
   Encoded text XSS vulnerability

   Squirrelmail fails to properly sanitize user input, which could
   lead to a compromise of webmail accounts.

 11/17/2004 - GIMPS, SETI at home, ChessBrain Insecure installation
   Encoded text XSS vulnerability

   Improper file ownership allows user-owned files to be run with
   root privileges by init scripts.

|  Distribution: Mandrake         | ----------------------------//

 11/17/2004 - gd
   integer overflows fix

   Integer overflows were reported in the GD Graphics Library (libgd)
   2.0.28, and possibly other versions. These overflows allow remote
   attackers to  cause a denial of service and possibly execute
   arbitrary code via PNG image files with large image rows values
   that lead to a heap-based buffer overflow in the
   gdImageCreateFromPngCtx() function.

 11/17/2004 - sudo
   vulnerability fix

   Liam Helmer discovered a flow in sudo's environment sanitizing.
   This flaw could allow a malicious users with permission to run a
   shell script that uses the bash shell to run arbitrary commands.

 11/17/2004 - Apache
   buffer overflow fix

   A possible buffer overflow exists in the get_tag() function of
   mod_include, and if SSI (Server Side Includes) are enabled, a
   local attacker may be able to run arbitrary code with the rights
   of an httpd child process.

 11/17/2004 - Apache2
   request DoS fix

   A vulnerability in apache 2.0.35-2.0.52 was discovered by Chintan
   Trivedi; he found that by sending a large amount of specially-
   crafted HTTP GET requests, a remote attacker could cause a Denial
   of Service on the httpd server.

 11/18/2004 - bootloader-utils kheader issue fix
   request DoS fix

   A problem with generating kernel headers exists when using the
   newer kernel-i686-up-64GB package.  The updated bootloader-utils
   package corrects the issue.

 11/18/2004 - totem
   problem with blue screen fix

   There is a problem in the totem package where in some cases when
   running totem a blue screen would appear.  Resizing the screen
   seems to fix the problem temporarily, however upon minimizing or
   maximizing the screen it would once again become blue.

 11/18/2004 - drakxtools
   various issues fix

   A number of fixes are available in the updated drakxtools package.

|  Distribution: Red Hat          | ----------------------------//

 11/12/2004 - httpd
   security issue and bugs fix

   Updated httpd packages that include fixes for two security issues,
   as well as other bugs, are now available.

 11/12/2004 - freeradius
   security flaws fix

   Updated freeradius packages that fix a number of denial of service
   vulnerabilities as well as minor bugs are now available for Red
   Hat Enterprise Linux 3.

 11/12/2004 - libxml2
   security vulnerabilities fix

   An updated libxml2 package that fixes multiple buffer overflows is
   now available.

 11/16/2004 - samba
   security vulnerabilities fix

   Updated samba packages that fix various security vulnerabilities
   are now available.

|  Distribution: Suse             | ----------------------------//

 11/15/2004 - samba
   remote buffer overflow

   There is a problem in the Samba file sharing service daemon, which
   allows a remote user to have the service consume lots of computing
   power and potentially crash the service by querying special
   wildcarded filenames.

 11/17/2004 - xshared, XFree86-libs, xorg-x11-libs remote system
compromises remote buffer overflow

   The XPM library which is part of the XFree86/XOrg project is used
   by several GUI applications to process XPM image files. A source
   code review done by Thomas Biege of the SuSE Security-Team
   revealed several different kinds of bugs.

|  Distribution: Trustix          | ----------------------------//

 11/16/2004 - gd
   samba sqlgrey sudo Various security fixes

   gd is a graphics library. It allows your code to quickly draw
   images complete with lines, arcs, text, multiple colors, cut and
   paste from other images, and flood fills, and write out the result
   as a PNG or JPEG file.

 11/16/2004 - apache
   automake bind console-tools Package bugfix

   Apache is a full featured web server that is freely available, and
   also happens to be the most widely used.

 11/16/2004 - iptables
   Loading too many modules

   Olaf Rempel pointed out that the list of modules we autoload is
   too large. This has now been fixed.

 11/16/2004 - gd
   samba sqlgrey sudo several overflows

   There has been found serveral overflows in gd.  This can be used
   to execute arbitary code in programs using the gd library.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list