Insecurity News - Linux Magazine

newshumansvilleGestion des données

16 déc. 2012 (il y a 4 années et 10 mois)

281 vue(s)


Omega-RPG
Steve Kemp also discovered a buffer
overflow vulnerability in the command
line and environment variable handling
of omega-rpg, a text-based rogue-style
role playing game of dungeon explo-
ration, which could lead a local attacker
to gain unauthorized access to the group
games.■
Debian reference DSA-400-1 omega-rpg –
buffer overflow

PostgreSQL
Tom Lane discovered a buffer overflow
in the to_ascii function in PostgreSQL.
This allows remote attackers to execute
arbitrary code on the host running the
database.■
Debian reference DSA-397-1 postgresql –
buffer overflow
Mandrake reference MDKSA-2003:102 :
postgresql

Epic4
Jeremy Nelson discovered a remotely
exploitable buffer overflow in EPIC4, a
popular client for Internet Relay Chat
(IRC). A malicious server could craft a
reply which triggers the client to allocate
a negative amount of memory. This
could lead to a denial of service if the
client only crashes, but may also lead to
execution of arbitrary code under the
user id of the chatting user.■
Debian reference DSA-399-1 epic4 –
buffer overflow

thhtpd
Several vulnerabilities have been discov-
ered in thttpd, a tiny HTTP web-server.
The Common Vulnerabilities and
Exposures project identifies the follow-
ing vulnerabilities:
CAN-2002-1562: Information leak.
Marcus Breiing discovered that if thttpd
it is used for virtual hosting, and an
attacker supplies a specially crafted
“Host:” header with a pathname instead
of a hostname, thttpd will reveal in-
formation about the host system. Hence,
an attacker can browse the entire disk.
CAN-2003-0899: Arbitrary code execu-
tion. Joel Söderberg and Christer Öberg
discovered a remote overflow which
allows an attacker to partially overwrite
the EBP register and hence execute arbi-
trary code.■
Debian reference DSA-396-1 thttpd –
missing input sanitizing, wrong calcula-
tion
SUSE reference SuSE-SA:2003:044 –
thhtpd

Fetchmail
A bug was discovered in fetchmail 6.2.4
where a specially crafted email message
can cause fetchmail to crash.
Thanks to Nalin Dahyabhai of Red Hat
for providing the patch to fix the prob-
lem.■
Mandrake reference MDKSA-2003:101 :
fetchmail

gdm
Two vulnerabilities were discovered in
gdm by Jarno Gassenbauer that would
allow a local attacker to cause gdm to
crash or freeze.■
Mandrake reference MDKSA-2003:100 :
gdm

Tomcat 4
Aldrin Martoq has discovered a denial of
service (DoS) vulnerability in Apache
Tomcat 4.0.x. Sending several non-HTTP
requests to Tomcat’s HTTP connector
makes Tomcat reject further requests on
this port until it is restarted.
The Common Vulnerabilities and
Exposures project has assigned the name
CAN-2003-0866 to this issue.■
Debian reference DSA-395-1 tomcat4 –
incorrect input handling

Conquest
Steve Kemp discovered a buffer overflow
in the environment variable handling of
conquest, a curses based, real-time,
multi-player space warfare game, which
could lead a local attacker to gain unau-
thorized access to the group conquest.■
Debian reference DSA-398-1 conquest –
buffer overflow
Insecurity News
14
January 2004
www.linux-magazine.com
Distributor Security Sources Comments
Debian Info:http://www.debian.org/security/The current Debian security advisories are included
List:http://lists.debian.org/debian- on the homepage.Advisories are provided as HTML
security-announce/Reference:DSA-… 1) pages with links to the patches.The security advisory
also contains a reference to the mailing list.
Gentoo Forum:http://forums.gentoo.org/Unfortunately,Gentoo does not offer a website with
List:http://www.gentoo.org/main/security updates or other security information.This
en/lists.xml Reference:GLSA:… 1) forum is the only alternative.
Mandrake Info:http://www.mandrakesecure.net MandrakeSoft runs its own Web site on security topics.
List:http://www.mandrakesecure.net/Among other things,it includes security advisories
en/mlist.php Reference:MDKSA-… 1) and references to the mailing lists.The advisories are
HTML pages,but there are no links to the patches.
Red Hat Info:http://www.redhat.com/errata/Red Hat files security advisories as so-called Errata:
List:http://www.redhat.com/mailing Issues for each Red Hat Linux version are then
-lists/ Reference:RHSA-… 1) grouped.The security advisories are provided in the
form of an HTML page with links to patches.
Slackware Info:http://www.slackware.com/The start page contains links to the security mailing
security/List:http://www.slackware.list archive.No additional information on Slackware
com/lists/(slackware-security) security is available.
Reference:[slackware-security] … 1)
SuSE Info:http://www.suse.de/uk/private/There is no longer a link to the security page after
support/security/Patches:http://www.changes to the Web site.It contains information on the
suse.de/uk/private/download/updates/mailing list and the advisories.The security patches for
List:suse-security-announce the individual SuSE Linux versions are shown in red on
Reference:SUSE-SA … 1) the general updates site.A short description of the
vulnerability the patch resolves is provided
1) All distributors indicate security mails in the subject line.
Security Posture of Major Distributions
NEWS
Insecurity

Hylafax
Hylafax is an Open Source fax server
that allows sharing of fax equipment
among computers by offering its service
to clients via a protocol similar to FTP.
The SuSE Security Team found a format
bug condition during a code review of
the hfaxd server. It allows remote attack-
ers to execute arbitrary code as root.
However, the bug can not be triggered in
hylafax’ default configuration.
The “capi4hylafax” packages also
need to be updated as a dependency
where they are available. After any
update has been successfully applied,
the hfaxd server has to be restarted by
issuing the following command as root:
/etc/rc.d/hylafax restart

SUSE reference SuSE-SA:2003:045 –
hylafax
Mandrake reference MDKSA-2003:105 :
hylafax
15
www.linux-magazine.com
January 2004
Insecurity NEWS

ls
A potential denial of service vulnerabil-
ity exists in ls. The fileutils package
contains several basic system utilities.
One of these utilities is the “ls” program,
which is used to list information about
files and directories. In Red Hat Linux 9,
the ls program is part of the coreutils
package. Georgi Guninski discovered a
memory starvation denial of service vul-
nerability in the ls program. It is possible
to make ls allocate a huge amount of
memory by specifying certain command
line arguments. This vulnerability is
remotely exploitable through services
like wu-ftpd, which pass user arguments
to ls. The Common Vulnerabilities and
Exposures project has assigned the name
CAN-2003-0854 to this issue.
A non-exploitable integer overflow in
ls has also been discovered. It is possible
to make ls crash by specifying certain
command line arguments. This vulnera-
bility is remotely exploitable through
services like wu-ftpd, which pass user
arguments to ls.
The Common Vulnerabilities and
Exposures project has assigned the name
CAN-2003-0853 to this issue.■
Red Hat reference RHSA-2003:309-08

Apache
A buffer overflow in mod_alias and
mod_rewrite was discovered in Apache
versions 1.3.19 and earlier, as well as
Apache 2.0.47 and earlier.
This happens when a regular expres-
sion with more than 9 captures is
confined. An attacker would have to cre-
ate a carefully crafted configuration file
(.htaccess or httpd.conf) in order to
exploit these problems.
Also, another buffer overflow in
Apache 2.0.47 and earlier in mod_cgid’s
mishandling of CGI redirect paths
could result in CGI output going to the
wrong client when a threaded MPM is
used.■
Mandrake reference MDKSA-2003:103 :
apache

Apache 2
A problem was discovered in Apache2
where CGI scripts that output more than
4k of output to STDERR will hang the
script’s execution.
This can cause a Denial of Service on
the httpd process because it is waiting
for more input from the CGI that is not
forthcoming due to the locked write()
call in mod_cgi.
On systems that use scripts that output
more than 4k to STDERR, this could
cause httpd processes to hang, and
once the maximum connection limit is
reached, Apache will no longer respond
to requests.
Users may have to restart apache man-
ually after the upgrade by issuing the
following command
service httpd restart

Mandrake reference MDKSA-2003:096-1 :
apache2

CUPS
CUPS is a print spooler. Paul Mitcheson
reported a situation where the CUPS
Internet Printing Protocol (IPP) imple-
mentation in CUPS versions prior to
1.1.19 would get into a busy loop.
This could result in a denial of service.
In order to exploit this bug an attacker
would need to have the ability to make a
TCP connection to the IPP port (by
default 631).■
Red Hat reference RHSA-2003:275-07

Ethereal
Ethereal is a program for monitoring net-
work traffic. A number of security issues
affect Ethereal. By exploiting these
issues, it may be possible to make Ethe-
real crash or run arbitrary code by
injecting a purposefully-malformed
packet onto the wire or by convincing
someone to read a malformed packet
trace file. A buffer overflow in Ethereal
0.9.15 and earlier allows remote attack-
ers to cause a denial of service and
possibly execute arbitrary code via a
malformed GTP MSISDN string.
The Common Vulnerabilities and
Exposures project has assigned the name
CAN-2003-0925 to this issue. Ethereal
0.9.15 and earlier allows remote attack-
ers to cause a denial of service (crash)
via certain malformed ISAKMP or
MEGACO packets. The Common Vulner-
abilities and Exposures project has
assigned the name CAN-2003-0926 to
this issue. A heap-based buffer overflow
in Ethereal 0.9.15 and earlier allows
remote attackers to cause a denial of
service (crash) and possibly execute
arbitrary code via the SOCKS dissector.
The Common Vulnerabilities and
Exposures project has assigned the name
CAN-2003-0927 to this issue.■
Red Hat reference RHSA-2003:323-07

CDE
The Common Desktop Environment
(CDE) for Unix systems has had a vul-
nerability reported by the CERT Co-
ordination Center.
This vulnerability can allow a local
user to gain root privileges.
CDE libDtHelp contains a buffer over-
flow that can be exploited by any local
user. If an attacker modifies DTHEL-
PUSERSEARCHPATH and then invokes
Help, the attacker can gain the escalated
privileges. Any other program that runs
with the new elevated privileges and
links to libDtHelp is then a potential
attack vector on the system.
As a result of this error, the attacker
may be able to crash vulnerable pro-
grams, which in turn could cause a
denial of service on the computer sys-
tem.
Patches and upgrades are now avail-
able for this error for a wide range of
systems and architectures that CDE is
used on.■
CERT reference VU#575804