[ISN] Linux Advisory Watch - November 26th 2004

InfoSec News isn at c4i.org
Mon Nov 29 01:59:40 EST 2004

|  LinuxSecurity.com                             Weekly Newsletter    |
|  November 26th, 2004                          Volume 5, Number 47a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the week.
It includes pointers to updated packages and descriptions of each

This week, advisories were released for bugzilla, samba, bnc, sudo, Cyrus,
yardradius, AbiWord, unarj, pdftohtml, ProZilla, phpBB, TWiki, XFree86,
libxpm4, a2ps, zip, kdebase, and kdelibs.  The distributors include
Conectiva, Debian, Fedora, Gentoo, Mandrake, Openwall, and Trustix.

----- LinuxSecurity.com Version 2 -----

Get ready ... on December 1st the new LinuxSecurity.com site will be
revealed. The same great content you've come to expect with a whole new
look and great new features. A sneak preview is coming soon!



Security Basics

In the ever-changing world of global data communications, inexpensive
Internet connections, and fast-paced software development, security is
becoming more and more of an issue.  Security is now a basic requirement
because global computing is inherently insecure.  As your data goes from
point A to point B on the Internet, for example, it may pass through
several other points along the way, giving other users the opportunity to
intercept, and even alter, your data.  Even other users on your system may
maliciously transform your data into something you did not intend.
Unauthorized access to your system may be obtained by intruders, also
known as ``crackers'', who then use advanced knowledge to impersonate you,
steal information from you, or even deny you access to your own resources.
If you're still wondering what the difference is between a ``Hacker'' and
a ``Cracker'', see Eric Raymond's document, ``How to Become A Hacker'',
available at:


How Vulnerable Are We?

* While it is difficult to determine just how vulnerable a particular
  system is, there are several indications we can use:

* The Computer Emergency Response Team consistently reports an
  increase in computer vulnerabilities and exploits.

* TCP and UDP, the protocols that comprise the Internet, were not
  written with security as their first priority when it was created
  more than 30 years ago.

* A version of software on one host has the same vulnerabilities as
  the same version of software on another host.  Using this information,
  an intruder can exploit multiple systems using the same attack method.

* Many administrators don't even take simple security measures necessary
  to protect their site, or don't understand the ramifications of
  implementing some se

Excerpt from the LinuxSecurity Administrator's Guide:

Written by: Dave Wreski (dave at guardiandigital.com)


Mass deploying Osiris

Osiris is a centralized file-integrity program that uses a client/server
architecture to check for changes on a system.  A central server maintains
the file-integrity database and configuration for a client and at a
specified time, sends the configuration file over to the client, runs a
scan and sends the results back to the server to compare any changes.
Those changes are then sent via email, if configured, to a system admin or
group of people.  The communication is all done over an encrypted
communication channel.


-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Conectiva        | ----------------------------//

 11/23/2004 - shadow-utils authentication bypass vulnerability fix

   Martin Schulze reported a vulnerability[2] in the passwd_check()
   function in "libmisc/pwdcheck.c" which is used by chfn and chsh
   and thus may allow a local attacker to use them to change the
   standard shell of other users or modify their GECOS information
   (full name, phone number...).

 11/23/2004 - bugzilla
   remote vulnerability fix

   Bugzilla versions prior to 2.16.7 have a vulnerability[3] which
   allows a remote user to remove keywords from a ticket even without
   the necessary permissions. Such an action, however, would trigger
   the usual e-mail detailing the changes, making it easy to discover
   what happened and what was changed.

 11/25/2004 - samba
   denial of service vulnerability fix

   Karol Wiesek found a vulnerability[2] in the input validation
   routines in Samba 3.x used to match filename strings containing
   wildcard characters that may allow a remote attacker to consume
   abnormal amounts of CPU cycles.

|  Distribution: Debian           | ----------------------------//

 11/24/2004 - bnc
   buffer overflow

   Leon Juranic discovered that BNC, an IRC session bouncing proxy,
   does not always protect buffers from being overwritten.  This
   could exploited by a malicious IRC server to overflow a buffer of
   limited size and execute arbitrary code on the client host.

 11/24/2004 - sudo
   privilege escalation fix

   Liam Helmer noticed that sudo, a program that provides limited
   super user privileges to specific users, does not clean the
   environment sufficiently.  Bash functions and the CDPATH variable
   are still passed through to the program running as privileged
   user, leaving possibilities to overload system routines.

 11/24/2004 - sudo
   removes debug output

   Liam Helmer noticed that sudo, a program that provides limited
   super user privileges to specific users, does not clean the
   environment sufficiently.  Bash functions and the CDPATH variable
   are still passed through to the program running as privileged
   user, leaving possibilities to overload system routines.

 11/25/2004 - Cyrus
   IMAP arbitrary code execution fix

   Stefan Esser discovered several security related problems in the
   Cyrus IMAP daemon.  Due to a bug in the command parser it is
   possible to access memory beyond the allocated buffer in two
   places which could lead to the execution of arbitrary code.

 11/25/2004 - yardradius
   arbitrary code execution fix

   Max Vozeler noticed that yardradius, the YARD radius
   authentication and accounting server, contained a stack overflow
   similar to the one from radiusd which is referenced as
   CAN-2001-0534.  This could lead to the execution of arbitrary code
   as root.

 11/25/2004 - tetex-bin arbitrary code execution
   arbitrary code execution fix

   Chris Evans discovered several integer overflows in xpdf, that are
   also present in tetex-bin, binary files for the teTeX
   distribution, which can be exploited remotely by a specially
   crafted PDF document and lead to the execution of arbitrary code.

|  Distribution: Fedora           | ----------------------------//

 11/19/2004 - system-config-users-1.2.28-0.fc3.1 update
   arbitrary code execution fix

   check for running processes of a user about to be deleted

 11/19/2004 - system-config-users-1.2.28-0.fc2.1 update
   arbitrary code execution fix

   check for running processes of a user about to be deleted

 11/19/2004 - rhgb-0.16.1-1.FC3 update
   arbitrary code execution fix

   This should fix the problem where rhgb blocks the boot process
   when X fails to initialize correctly, as well as the one
   preventing vncserver to start when rhgb is used.

 11/22/2004 - redhat-menus-3.7-2.2.fc3 update
   arbitrary code execution fix

   This update adds additional file types to the list of file types
   associated with the OpenOffice.org application suite, allowing
   users to open more documents with OpenOffice.org through Nautilus
   and Evolution.

 11/22/2004 - kernel-2.6.9-1.6_FC2 update
   arbitrary code execution fix

   This update brings a rebase to 2.6.9, including various security
   fixes incorporated into the upstream kernel, and also includes
   Alan Cox's -ac patchset, which adds additional security fixes.

 11/22/2004 - kernel-2.6.9-1.681_FC3 update
   arbitrary code execution fix

   This update brings an updated -ac patch which which adds several
   security fixes, and various other fixes that have occured since
   the release of Fedora Core 3.

 11/22/2004 - redhat-menus-3.7.1-1.fc3 update
   arbitrary code execution fix

   This update fixes the missing evolution icon bug (#rh138282).

 11/23/2004 - system-config-display-1.0.24-1 update
   arbitrary code execution fix

   This fixes tracebacks experienced by some users with dual head

 11/24/2004 - system-config-samba-1.2.22-0.fc3.1 update
   arbitrary code execution fix

   add missing options (#137756)

 11/24/2004 - system-config-samba-1.2.22-0.fc2.1 update
   arbitrary code execution fix

   add missing options (#137756), don't raise exception when writing
   /etc/samba/smb.conf (#135946), updated translations

 11/25/2004 - AbiWord
   bug fixes

   Fixes for tempnam usages and startup geometry crashes

|  Distribution: Gentoo           | ----------------------------//

 11/19/2004 - X.org, Xfree vulnerabilities
   bug fixes

   libXpm contains several vulnerabilities that could lead to a
   Denial of Service and arbitrary code execution.

 11/19/2004 - unarj
   Long filenames buffer overflow and a path traversal vulnerability

   unarj contains a buffer overflow and a directory traversal
   vulnerability. This could lead to overwriting of arbitrary files
   or the execution of arbitrary code.

 11/23/2004 - pdftohtml
   Vulnerabilities in included Xpdf

   pdftohtml includes vulnerable Xpdf code to handle PDF files,
   making it vulnerable to execution of arbitrary code upon
   converting a malicious PDF file.

 11/23/2004 - ProZilla
   Multiple vulnerabilities

   ProZilla contains several buffer overflow vulnerabilities that can
   be exploited by a malicious server to execute arbitrary code with
   the rights of the user running ProZilla.

 11/23/2004 - phpBB
   Remote command execution

   phpBB contains a vulnerability which allows a remote attacker to
   execute arbitrary commands with the rights of the web server user.

 11/24/2004 - TWiki
   Arbitrary command execution

   A bug in the TWiki search function allows an attacker to execute
   arbitrary commands with the permissions of the user running TWiki.

 11/25/2004 - Cyrus
   IMAP Multiple remote vulnerabilities

   The Cyrus IMAP Server contains multiple vulnerabilities which
   could lead to remote execution of arbitrary code.

|  Distribution: Mandrake         | ----------------------------//

 11/23/2004 - XFree86
   vulnerabilities fix

   A source code review of the XPM library, done by Thomas Biege of
   the SuSE Security-Team revealed several different kinds of bugs.
   These bugs include integer overflows, out-of-bounds memory access,
   shell command execution, path traversal, and endless loops.

 11/23/2004 - libxpm4
   vulnerabilities fix

   A source code review of the XPM library, done by Thomas Biege of
   the SuSE Security-Team revealed several different kinds of bugs.
   These bugs include integer overflows, out-of-bounds memory access,
   shell command execution, path traversal, and endless loops.

 11/25/2004 - Cyrus
   IMAP multiple vulnerabilities

   A number of vulnerabilities in the Cyrus-IMAP server were found by
   Stefan Esser.  Due to insufficient checking within the argument
   parser of the 'partial' and 'fetch' commands, a buffer overflow
   could be exploited to execute arbitrary attacker-supplied code.

 11/25/2004 - a2ps
   vulnerability fix

   The GNU a2ps utility fails to properly sanitize filenames, which
   can be abused by a malicious user to execute arbitray commands
   with the privileges of the user running the vulnerable

 11/25/2004 - zip
   vulnerability fix

   A vulnerability in zip was discovered where zip would not check
   the resulting path length when doing recursive folder compression,
   which could allow a malicious person to convince a user to create
   an archive containing a specially-crafted path name.

 11/26/2004 - kdebase
   various bugs fixes

   A number of bugs in kdebase are fixed with this update.

 11/26/2004 - kdelibs
   various bugs fix

   A number of bugs in kdelibs are fixed with this update.

|  Distribution: Openwall         | ----------------------------//

 11/23/2004 - 2.4.28-ow1 security-related bugs
   various bugs fix

   Linux 2.4.28, and thus 2.4.28-ow1, fixes a number of
   security-related bugs, including the ELF loader vulnerabilities
   discovered by Paul Starzetz (confirmed: ability for users to read
   +s-r binaries; potential: local root), a race condition with reads
   from Unix domain sockets (potential local root), smbfs


|  Distribution: Trustix          | ----------------------------//

 11/22/2004 - apache, kernel, sudo Multiple vulnerabilities
   various bugs fix

   An issue was discovered where the field length limit was not
   enforced for certain malicious requests. This could lead to a
   remote denial of service attack.

 11/22/2004 - amavisd-new, anaconda, courier-imap, ppp, setup,
   spamassassin, swup, tftp-hpa, tsl-utils Package bugfixes
   various bugs fix

   amavisd-new: Add tmpwatch of the virusmails directory to keep it
   from growing infinitely. Anaconda: Increase ramdisk-size as needed
   by netboot floppy. Courier-imap: Now use $HOME/Maildir.

Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list