[ISN] Linux Advisory Watch - February 24th 2006

InfoSec News isn at c4i.org
Mon Feb 27 02:11:53 EST 2006

|  LinuxSecurity.com                               Weekly Newsletter  |
|  February 24th, 2006                           Volume 7, Number 9a  |

  Editors:      Dave Wreski                     Benjamin D. Thomas
                dave at linuxsecurity.com          ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for heimdal, GnuPG, pdfkit, tutos,
netpbm, compat-db, kdebase, gndb-kernel, cman-kernel, dlm-kernel,
GFS-kernel, BomberClone, GnuPG, OpenSSH, GPdf, bluez-hcidump,
libtiff, kernel, MySQL, tar, metamail, and CASA.  The distributors
include Debian, Fedora, Gentoo, Mandriva, and SuSE.


EnGarde Secure Linux: Why not give it a try?

EnGarde Secure Linux is a Linux server distribution that is geared
toward providing a open source platform that is highly secure by default
as well as easy to administer. EnGarde Secure Linux includes a select
group of open source packages configured to provide maximum security
for tasks such as serving dynamic websites, high availability mail
transport, network intrusion detection, and more. The Community
edition of EnGarde Secure Linux is completely free and open source,
and online security and application updates are also freely
available with GDSN registration.



Writing Behind a Buffer

In this paper we are going to describe a kind of vulnerability that
is known in the literature but also poor documented. In fact, the
problem that is going to be analyzed can be reduced to a memory
adjacent overwriting attack but usually it is obtained exploiting
the last null byte of a buffer, hence we are going to show that the
same result is still possible writing behind a buffer, under certain
conditions. To fully understand the subject of this article it's
necessary to describe the memory organization1 of running processes,
then the memory adjacent overwrite attack, concluding with our

Memory Organization

A process can be defined as a running program, thus the operating
system has loaded its instructions into memory and has allocated
different areas of memory to manage its execution. The address space
of a running process can be divided into five segments[1,2]:

* Code Segment: this segment contains the executable code of
the program.

* Data and BSS Segment: both sectors are dedicated to the global
variables and are allocated during the compile time. To be clear,
the sector BSS contains not initialized data while data segment is
reserved for static data.

* Stack Segment: local variables are allocated in this segment.
It is particular useful for storing cotext and for function parameters.
The stack memory grows downward.

* Heap Segment: this segment represents all the rest of memory ofthe
process. The heap memory grows upward and is allocated dynamically.

The memory adjacent overwrite attack, exploits the memory allocated
into the stack for automatic variables to produce a buffer overflow[6]
and to gain the control of the process execution flow.

Memory Adjacent Overwrite Attack Last years were released some
articles[4,5] about exploiting non-terminated adjacent memory space.
The problem exists when the last null byte, terminating a buffer,
is overwritten and another buffer precedes it.

In fact, when a buffer is declared it is finished into the stack
with a null byte to separate it from the rest of the stack. To
stay clear let's bring an example written in C where we are going
to use two buffers.

Read Full Paper


EnGarde Secure Community 3.0.4 Released

Guardian Digital is happy to announce the release of EnGarde
Secure Community 3.0.4 (Version 3.0, Release 4). This release
includes several bug fixes and feature enhancements to the Guardian
Digital WebTool and the SELinux policy, and several new packages
available for installation.



Linux File & Directory Permissions Mistakes

One common mistake Linux administrators make is having file and
directory permissions that are far too liberal and allow access
beyond that which is needed for proper system operations. A full
explanation of unix file permissions is beyond the scope of this
article, so I'll assume you are familiar with the usage of such
tools as chmod, chown, and chgrp. If you'd like a refresher, one
is available right here on linuxsecurity.com.



Buffer Overflow Basics

A buffer overflow occurs when a program or process tries to
store more data in a temporary data storage area than it was
intended to hold. Since buffers are created to contain a finite
amount of data, the extra information can overflow into adjacent
buffers, corrupting or overwriting the valid data held in them.



-->  Take advantage of the LinuxSecurity.com Quick Reference Card!
-->  http://www.linuxsecurity.com/docs/QuickRefCard.pdf

|  Distribution: Debian           | ----------------------------//

* Debian: New heimdal packages fix several vulnerabilities
  16th, February, 2006

Updated package.


* Debian: New GnuPG packages fix invalid success return
  17th, February, 2006

Updated package.


* Debian: New pdfkit.framework packages fix several vulnerabilities
  17th, February, 2006

Updated package.


* Debian: New tutos packages fix multiple vulnerabilities
  22nd, February, 2006

Joxean Koret discovered several security problems in tutos, a
web-based team organization software. The Common Vulnerabilities and
Exposures Project identifies the following problems...


|  Distribution: Fedora           | ----------------------------//

* Fedora Core 4 Update: netpbm-10.31-1.FC4.2
  16th, February, 2006

Updated package.


* Fedora Core 4 Update: compat-db-4.2.52-2.FC4
  17th, February, 2006

updated package.


* Fedora Core 4 Update: gnupg-
  17th, February, 2006

The GNU Privacy Guard provides encryption and signing for messages
and arbitrary files, and implements the OpenPGP standard as described
by IETF RFC2440.


* Fedora Core 4 Update: kdebase-3.5.1-0.3.fc4
  17th, February, 2006

Updated package.


* Fedora Core 4 Update: gnbd-kernel-
  22nd, February, 2006

Updated GFS & Cluster Suite packages for the latest kernel


* Fedora Core 4 Update: cman-kernel-
  22nd, February, 2006

Updated GFS & Cluster Suite packages for the latest kernel


* Fedora Core 4 Update: dlm-kernel-
  22nd, February, 2006

Updated GFS & Cluster Suite packages for the latest kernel


* Fedora Core 4 Update: GFS-kernel-
  22nd, February, 2006

Updated GFS & Cluster Suite packages for the latest kernel


|  Distribution: Gentoo           | ----------------------------//

* Gentoo: libtasn1, GNU TLS Security flaw in DER decoding
  16th, February, 2006

A flaw in the parsing of Distinguished Encoding Rules (DER) has been
discovered in libtasn1, potentially resulting in the execution of
arbitrary code.


* Gentoo: BomberClone Remote execution of arbitrary code
  16th, February, 2006

BomberClone is vulnerable to a buffer overflow which may lead to
remote execution of arbitrary code.


* Gentoo: GnuPG Incorrect signature verification
  18th, February, 2006

Applications relying on GnuPG to authenticate digital signatures may
incorrectly believe a signature has been verified.


* Gentoo: OpenSSH, Dropbear Insecure use of system() call
  20th, February, 2006

A flaw in OpenSSH and Dropbear allows local users to elevate their
privileges via scp.


* Gentoo: GPdf Heap overflows in included Xpdf code
  21st, February, 2006

GPdf includes vulnerable Xpdf code to handle PDF files, making it
vulnerable to the execution of arbitrary code.


|  Distribution: Mandriva         | ----------------------------//

* Mandriva: Updated kernel packages fix multiple vulnerabilities
  17th, February, 2006

A number of vulnerabilities were discovered and corrected in the
Linux2.6 kernel: The udp_v6_get_port function in udp.c, when running IPv6,
allows local users to cause a Denial of Service (infinite loop and
crash) (CVE-2005-2973).


* Mandriva: Updated bluez-hcidump packages fix buffer overflow
  17th, February, 2006

Buffer overflow in l2cap.c in hcidump allows remote attackers to
cause a denial of service (crash) through a wireless Bluetooth
connection via a malformed Logical Link Control and Adaptation
Protocol (L2CAP) packet.


* Mandriva: Updated libtiff packages fix vulnerability
  17th, February, 2006

Stack-based buffer overflow in libTIFF before 3.7.2 allows remote
attackers to execute arbitrary code via a TIFF file with a malformed
BitsPerSample tag.  Although some of the previous updates appear to
already catch this issue, this update adds some additional checks.


* Mandriva: Updated gnupg packages fix signature file verification
  17th, February, 2006

Tavis Ormandy discovered it is possible to make gpg incorrectly
return success when verifying an invalid signature file.  The updated
packages have been patched to address this issue.


* Mandriva: Updated kernel packages fix multiple vulnerabilities
  21st, February, 2006

A number of vulnerabilities have been discovered and corrected in the
Linux 2.4 kernel:
A numeric casting discrepancy in sdla_xfer could allow a local user
to read portions of kernel memory via a large len argument


* Mandriva: Updated MySQL packages fix temporary file vulnerability
  22nd, February, 2006

Eric Romang discovered a temporary file vulnerability in the
mysql_install_db script provided with MySQL.  This vulnerability
only affects versions of MySQL 4.1.x prior to 4.1.12.
The updated packages have been patched to address this issue.


* Mandriva: Updated tar packages fix vulnerability
  22nd, February, 2006

Gnu tar versions 1.14 and above have a buffer overflow vulnerability
and some other issues including...


* Mandriva: Updated metamail packages fix vulnerability
  23rd, February, 2006

Ulf Harnhammar discovered a buffer overflow vulnerability in the way
that metamail handles certain mail messages.  An attacker could
create a carefully-crafted message that, when parsed via metamail,
could execute arbitrary code with the privileges of the user running


|  Distribution: Red Hat          | ----------------------------//

* RedHat: Low: tar security update
  21st, February, 2006

An updated tar package that fixes a path traversal flaw is now
available. This update has been rated as having low security impact
by the Red Hat Security Response Team.


* RedHat: Important: metamail security update
  21st, February, 2006

An updated metamail package that fixes a buffer overflow
vulnerability for Red Hat Enterprise Linux 2.1 is now available. This
update has been rated as having important security impact by the Red
Hat Security Response Team.


|  Distribution: SuSE             | ----------------------------//

* SuSE: gpg,liby2util signature checking
  20th, February, 2006

With certain handcraftable signatures GPG was returning a 0 (valid
signature) when used on command-line with option --verify. This only
affects GPG version 1.4.x, so it only affects SUSE Linux 9.3 and
10.0.  Other SUSE Linux versions are not affected.


* SuSE: CASA remote code execution
  22nd, February, 2006

Updated package.


Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request at linuxsecurity.com
         with "unsubscribe" in the subject of the message.

More information about the ISN mailing list