[ISN] Linux Advisory Watch - December 9th 2005

InfoSec News isn at c4i.org
Mon Dec 12 03:16:18 EST 2005

|  LinuxSecurity.com                               Weekly Newsletter  |
|  December 9th, 2005                           Volume 6, Number 50a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week advisories were released for gdk-pixbuf, horde2, helix-player,
Inkscape, horde2, Perl, Webmin, eagle-usb, spamassassin, mailman, xpdf,
libc-client, and imap.  The distributors include Debian, Gentoo,
Mandriva, and Red Hat.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



SELinux Policy Development: Auditing An Application

Now that you have a policy development environment and are able to
compile SELinux policy, you can make policy changes to correct any
audited messages in your system log or enable a permission needed by
an application you use.

You must create some source files when adding security policy statements
that only apply to the local system, since if you add statements to
existing files they will be overwritten during policy updates. Create
local files by issuing these commands:

touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.fc
touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.te
touch /etc/selinux/engarde/src/policy/policy/modules/admin/local.if

Next, edit the /etc/selinux/engarde/src/policy/policy/modules.conf file
and add a line reading local = base and save the file. Recompile the
policy and check the output to ensure your local.* files were included.

Let's say, for example, that you've installed some PHP scripts on your
website that function fine in permissive mode, but fail when you enable
enforcing mode, since the scripts are attempting an action that SELinux
does not allow.

The first step would be to open a terminal to the server, ensure you're
logged in to the sysadm_r role, and execute the following commands:

# setenforce 0
# dmesg -c
# watch audit2allow -d

These commands will allow you to view the missing SELinux permissions
in real time. The audit2allow command is the single most useful tool
when troubleshooting SELinux problems. When run with the -d switch,
it monitors the dmesg output for SELinux audit errors, and
automatically converts these errors into the correct allow command
that could be added to the policy to permit the denied action.

With the above commands running and your system in permissive mode,
run through the parts of your application that are causing trouble and
you should see your audit2allow terminal start outputting allow
statements. Review these statements, since they may be unsafe due
to incorrect file labeling and may be far too permissive.

For example, your audit2allow output may recommend giving your
application full read/write access to the etc_t type. This would
allow writing of many files in the /etc directory that belong to
other applications and would be unsafe. The correct way to design
your policy would be to change the type of the files your
application is actually accessing to something narrower and
more restricted so you can allow write access to only that new

If you're unsure what file is being accessed, look at your system
log and search it for the actual denial message. The denial message
will look something like the following:

  Oct 19 14:38:54 paxtest kernel: audit(1129747134.276:0):     \
  avc: denied { read } for name=messages dev=hda6 ino=2146393  \
  scontext=root:staff_r:staff_t tcontext=system_u:object_r:    \
  var_log_t tclass=file

The ino entry in the denial message indicates the inode of the
file that the denial refers to. You can locate this file by using
a find command thusly:

# find / -inum 2146393

If you need to assign a different file context to a file, edit the
$policy/policy/modules/admin/local.fc. The .fc files are lists
of regular expressions matching a full file path followed by a
security context to assign to that file during a relabel. Look at
other existing .fc files in the policy for an idea of how these work.
Once you assign a new context to a file, recompile and relabel, then
perform your application testing again to generate a new list of
allow statements that take the new context into account.

Read Entire Aricle:


Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.



Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.



Review: The Book of Postfix: State-of-the-Art Message Transport

I was very impressed with "The Book of Postfix" by authors Ralf
Hildebrandt and Pattrick Koetter and feel that it is an incredible
Postfix reference. It gives a great overall view of the operation
and management of Postfix in an extremely systematic and practical
format. It flows in a logical manner, is easy to follow and the
authors did a great job of explaining topics with attention paid
to real world applications and how to avoid many of the associated
pitfalls. I am happy to have this reference in my collection.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New gdk-pixbuf packages fix several vulnerabilities
  1st, December, 2005

Updated package.


* Debian: New horde2 packages fix cross-site scripting
  1st, December, 2005

Updated package.


* Debian: New helix-player packages fix arbitrary code execution
  2nd, December, 2005

Updated package.


* Debian: New Inkscape packages fix arbitrary code execution
  7th, December, 2005

Updated package.


* Debian: New courier packages fix unauthorised access
  8th, December, 2005

Updated package.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: Perl Format string errors can lead to code execution
  7th, December, 2005

A fix is available for Perl to mitigate the effects of format string
programming errors, that could otherwise be exploited to execute
arbitrary code.


* Gentoo: Webmin, Usermin Format string vulnerability
  7th, December, 2005

Webmin and Usermin are vulnerable to a format string vulnerability
which may lead to the execution of arbitrary code.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated eagle-usb packages fixes firmware loading issues
  2nd, December, 2005

This update loads the firmware each time an eagle-usb modem is
plugged in, not just when the eagle-usb module is loaded.


* Mandriva: Updated spamassassin packages fixes vulnerability
  2nd, December, 2005

SpamAssassin 3.0.4 allows attackers to bypass spam detection via an
e-mail with a large number of recipients ("To" addresses), which
triggers a bus error in Perl. Updated packages have been patched to
address this issue.


* Mandriva: Updated mailman packages fix various vulnerabilities
  2nd, December, 2005

Updated package.


* Mandriva: Updated webmin package fixes format string vulnerability
  2nd, December, 2005

Jack Louis discovered a format string vulnerability in miniserv.pl
Perl web server in Webmin before 1.250 and Usermin before 1.180,
with syslog logging enabled. This can allow remote attackers to cause
a denial of service (crash or memory consumption) and possibly
execute  arbitrary code via format string specifiers in the username
parameter  to the login form, which is ultimately used in a syslog


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Important: xpdf security update
  6th, December, 2005

An updated xpdf package that fixes several security issues is now
available. This update has been rated as having important security
impact by the Red Hat Security Response Team.


* RedHat: Moderate: libc-client security update
  6th, December, 2005

Updated libc-client packages that fix a buffer overflow issue are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.


* RedHat: Moderate: imap security update
  6th, December, 2005

An updated imap package that fixes a buffer overflow issue is now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list