[ISN] Linux Advisory Watch - February 17th 2006

InfoSec News isn at c4i.org
Mon Feb 20 02:06:49 EST 2006

|  LinuxSecurity.com                               Weekly Newsletter  |
|  February 17th, 2006                           Volume 7, Number 8a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for adzapper, elog, noweb,
cponly, kronolith, xpdf, pdfkit, OTRS, gpdf, nfs-users-server,
libcast, heimdal, poppler, kdegraphics, gnutls, cpuspeed, pam,
postgresql, selinux-policy-targeted, ImageMagick, BomberClone,
ghostscript, libpng, kdegraphics, and openssh.  The distributors
include Debian, Fedora, Gentoo, Mandriva, and SuSE.


Earn an NSA recognized IA Masters Online

The NSA has designated Norwich University a center of Academic
Excellence in Information Security. Our program offers unparalleled
Infosec management education and the case study affords you unmatched
consulting experience. Using interactive e-Learning technology, you
can earn this esteemed degree, without disrupting your career or home



pgp Key Signing Observations: Overlooked Social and
Technical Considerations

By: Atom Smasher

While there are several sources of technical information on using
pgp in general, and key signing in particular, this article
emphasizes social aspects of key signing that are too often ignored,
misleading or incorrect in the technical literature. There are also
technical issues pointed out where I believe other documentation
to be lacking. It is important to acknowledge and address social
aspects in a system such as pgp, because the weakest link in the
system is the human that is using it. The algorithms, protocols
and applications used as part of a pgp system are relatively
difficult to compromise or 'break', but the human user can often
be easily fooled. Since the human is the weak link in this chain,
attention must be paid to actions and decisions of that human;
users must be aware of the pitfalls and know how to avoid them.


This document is intended to be of use to those wishing to
participate in the exchange of signatures on their OpenPGP keys.
It is assumed that the reader has a basic understanding of pgp,
what it's used for and how to use it. Those more experienced
with pgp may wish to skip the sections they are familiar with,
but it is suggested that even the basic information be


When one first generates a key, it is important that it be
done on a secure machine in a secure environment. One attack
against pgp that is rarely mentioned allows Mallory to steal
or even replace a pgp key before it is distributed. Mallory
would need to compromise Bob's computer prior to Bob's creation
of a key.

Mallory could then eavesdrop on Bob as he types the pgp
passphrase for the first time, and steal the passphrase along
with the secret key. In this case Bob's key is compromised
before it even exists.

If at any time Mallory is able to break into Bob's computer,
she can steal his private key and wait for him to type in his
pgp passphrase. Mallory may use a virus or trojan to
accomplish this. A screwdriver or bootable CD can compromise
the private key. A spy camera or key-logger can compromise the
passphrase. This would allow Mallory to read any message ever
encrypted to Bob and sign any message or key with Bob's

Aside from keeping his personal computer secure, Bob should
save a copy of his private key in a secure, off-line, off-site
location. This off-line and off-site backup keeps Bob's private
key secure against loss from such things as disk crash or his
computer being stolen by either common or government thieves.
Depending on who is out to get him, he may consider it more
secure to burn his private key onto a CD and store it in a
bank safe, or print it onto paper and hide it inside a
painting. As always, the most appropriate meaning of 'secure'
is left to the needs and perceptions of the reader.

Note that it is often unnecessary to make a backup copy of a
public key for two reasons: 1) if it is publicly available
and can be retrieved from a keyserver and 2) the "gpgsplit"
command has a "secret-to-public" option that can recover a
public key from a private key. Note that gpgsplit may not
recover accurate expiration dates and preferences if they
were updated after the key was created.

One should never sign a key (or use pgp at all) on an
untrusted computer or in an untrusted environment. Gather
the information needed to sign a key and sign it when you
get home. If your home computer and environment are not
trusted, you have bigger problems to worry about.

Read Entire Article:


EnGarde Secure Community 3.0.4 Released

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.4 (Version 3.0, Release 4). This release
includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, and several new packages
available for installation.



Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.



Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New adzapper packages fix denial of service
  9th, February, 2006

Updated package.


* Debian: New elog packages fix arbitrary code execution
  10th, February, 2006

Several security problems have been found in elog, an electonic
logbook to manage notes.  The Common Vulnerabilities and Exposures
Project identifies the following problems...


* Debian: New noweb packages fix insecure temporary file creation
  13th, February, 2006

Updated package.


* Debian: New scponly packages fix potential root vulnerability
  13th, February, 2006

Updated package.


* Debian: New kronolith packages fix cross-site scripting
  14th, February, 2006

Updated package.


* Debian: New xpdf packages fix denial of service
  14th, February, 2006

Updated package.


* Debian: New pdfkit.framework packages fix denial of service
  15th, February, 2006

Updated package.


* Debian: New OTRS packages fix several vulnerabilities
  15th, February, 2006

Updated package.


* Debian: New gpdf packages fix denial of service
  15th, February, 2006

Updated package.


* Debian: New nfs-user-server packages fix arbitrary code execution
  15th, February, 2006

Marcus Meissner discovered that attackers can trigger a buffer
overflow in the path handling code by creating or abusing existing
symlinks, which may lead to the execution of arbitrary code.


* Debian: New libast packages fix arbitrary code execution
  15th, February, 2006

Johnny Mast discovered a buffer overflow in libast, the library of
assorted spiffy things, that can lead to the execution of arbitary
code.  This library is used by eterm which is installed setgid uid
which leads to a vulnerability to alter the utmp file.


* Debian: New heimdal packages fix several vulnerabilities
  16th, February, 2006

Updated package.


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 4 Update: poppler-0.4.5-1.1
  10th, February, 2006

Heap-based buffer overflow in Splash.cc in poppler, allows
attackers to cause a denial of service and possibly execute
arbitrary code via crafted splash images that produce
certain values that exceed the width or height of the
associated bitmap.


* Fedora Core 4 Update: xpdf-3.01-0.FC4.8
  10th, February, 2006

xpdf contains a heap based buffer overflow in the splash
rasterizer engine that can crash kpdf or even execute
arbitrary code.
Users impacted by these issues, should update to this new
package release.


* Fedora Core 4 Update: kdegraphics-3.5.1-0.2.fc4
  10th, February, 2006

kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains
a heap based buffer overflow in the splash rasterizer engine
that can crash kpdf or even execute arbitrary code.
Users impacted by these issues, should update to this new
package release.


* Fedora Core 4 Update: gnutls-1.0.25-2.FC4
  10th, February, 2006

Updated package.


* Fedora Core 4 Update: cpuspeed-1.2.1-1.24_FC4
  12th, February, 2006

Updated package.


* Fedora Core 4 Update: pam_krb5-2.1.15-2
  14th, February, 2006

This update fixes several bugs which have been found since FC4 was


* Fedora Core 4 Update: postgresql-8.0.7-1.FC4.1
  14th, February, 2006

Updated package.


* Fedora Core 4 Update: selinux-policy-targeted-1.27.1-2.22
  14th, February, 2006

Zebra was still broken.  Hopefully fixed by this update.


* Fedora Core 4 Update: selinux-policy-strict-1.27.1-2.22
  14th, February, 2006

Zebra was still broken.  Hopefully fixed by this update.


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: Xpdf, Poppler Heap overflow
  12th, February, 2006

Xpdf and Poppler are vulnerable to a heap overflow that may be
exploited to execute arbitrary code.


* Gentoo: KPdf Heap based overflow
  12th, February, 2006

KPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.


* Gentoo: ImageMagick Format string vulnerability
  13th, February, 2006

A vulnerability in ImageMagick allows attackers to crash the
application and potentially execute arbitrary code.


* Gentoo: KPdf Heap based overflow
  13th, February, 2006

KPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.


* Gentoo: Sun JDK/JRE Applet privilege escalation
  14th, February, 2006

Sun's Java Development Kit (JDK) and Java Runtime Environment (JRE)
do not adequately constrain applets from privilege escalation and
arbitrary code execution.


* Gentoo: libtasn1, GNU TLS Security flaw in DER decoding
  16th, February, 2006

A flaw in the parsing of Distinguished Encoding Rules (DER) has been
discovered in libtasn1, potentially resulting in the execution of
arbitrary code.


* Gentoo: BomberClone Remote execution of arbitrary code
  16th, February, 2006

BomberClone is vulnerable to a buffer overflow which may lead to
remote execution of arbitrary code.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated ghostscript packages fix various bugs
  10th, February, 2006

A number of bugs have been corrected with this latest ghostscript
package including a fix when rendering imaged when converting
PostScript to PDF with ps2pdf, a crash when generating PDF files with

the pdfwrite device, several segfaults, a fix for vertical japanese
text, and a number of other fixes.


* Mandriva: Updated gnutls packages fix libtasn1 out-of-bounds access
  14th, February, 2006

Evgeny Legerov discovered cases of possible out-of-bounds access in
the DER decoding schemes of libtasn1, when provided with invalid
input.	This library is bundled with gnutls. The provided packages
have been patched to correct these issues.


* Mandriva: Updated postgresql packages fix various bugs
  14th, February, 2006

Various bugs in the PostgreSQL 8.0.x branch have been corrected with
the latest 8.0.7 maintenance release which is being provided for
Mandriva Linux 2006 users.


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Important: gnutls security update
  10th, February, 2006

Updated gnutls packages that fix a security issue are now available
for Red Hat Enterprise Linux 4.


* RedHat: Important: xpdf security update
  13th, February, 2006

An updated xpdf package that fixes a buffer overflow security issue
is now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.


* RedHat: Moderate: libpng security update
  13th, February, 2006

Updated libpng packages that fix a security issue are now available
for Red Hat Enterprise Linux 4. This update has been rated as having
moderate security impact by the Red Hat Security Response Team.


* RedHat: Important: kdegraphics security update
  13th, February, 2006

Updated kdegraphics packages that resolve a security issue in kpdf
are now available. This update has been rated as having important
security impact by the Red Hat Security Response Team.


* RedHat: Moderate: ImageMagick security update
  14th, February, 2006

Updated ImageMagick packages that fix two security issues are now
available. This update has been rated as having moderate security
impact by the Red Hat Security Response Team.


|  Distribution: SuSE             | ----------------------------//

* SuSE: kernel remote denial of service
  9th, February, 2006

The Linux kernel on SUSE Linux 10.0 has been updated to fix following
security problems...


* SuSE: binutils, kdelibs3, kdegraphics3, koffice, dia, lyx
  10th, February, 2006

A SUSE specific patch to the GNU linker 'ld' removes redundant RPATH
and RUNPATH components when linking binaries. Due to a bug in this
routine ld occasionally left empty RPATH components. When running a
binary with empty RPATH components the dynamic linker tries to load
shared libraries from the current directory.


* SuSE: openssh (SUSE-SA:2006:008)
  14th, February, 2006

Updated package.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list