• Go back to all articles

All articles tagged with Security

XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers in Red Hat Linux. XDM is the X display manager. Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. The risk to users from this vulnerability is limited because only clients can be affected by these bugs, however in some (non default) configurations, both xfs and the X Server can act as clients to remote font servers. XDM does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the pam_krb5 module. Updated packages are available from updates.redhat.com.

A bug in Pan versions prior to 0.13.4 can cause Pan to crash when parsing an article header containing a very long author email address. This bug causes a crash (denial of service) but is not further exploitable. Updated packages are available from updates.redhat.com.

The iproute package contains advanced IP routing and network device configuration tools. Herbert Xu reported that iproute can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. Updated packages are available from updates.redhat.com.

Stunnel is a wrapper for network connections. It can be used to tunnel an unencrypted network connection over an encrypted connection (encrypted using SSL or TLS) or to provide an encrypted means of connecting to services that do not natively support encryption. A previous advisory provided updated packages to address re-entrancy problems in stunnel's signal-handling routines. These updates did not address other bugs that were found by Steve Grubb, and introduced an additional bug, which was fixed in stunnel 3.26. Updated packages are available from updates.redhat.com.

EPIC (Enhanced Programmable ircII Client) is an advanced ircII chat client designed to connect to Internet Relay Chat (IRC) servers. A bug in various versions of EPIC allows remote malicious IRC servers to cause a denial of service (crash) and execute arbitrary code via a CTCP request from a large nickname, which causes an incorrect length calculation. Updated packages are available from updates.redhat.com.

XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers in Red Hat Linux. XDM is the X display manager. Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. XDM does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the pam_krb5 module. XDM uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. Updated packages are available from updates.redhat.com.

The sane (Scanner Access Now Easy) package provides access to scanners either locally or remotely over the network. Several bugs in sane were fixed to avoid remote denial-of-service attacks. These attacks can even be executed if the remote attacker is not allowed to access the sane server by not listing the attackers IP in the file sane.conf. Per default saned only accepts local requests. Fixed packages are available from ftp.suse.com.

A security-related problem has been discovered in minimalist, a mailing list manager, which allows a remote attacker to execute arbitrary commands. Fixed packages are available from security.debian.org.

The SuSE Security Team discovered several exploitable formats string vulnerabilities in hylafax, a flexible client/server fax system, which could lead to executing arbitrary code as root on the fax server. Fixed packages are available from security.debian.org.

PostgreSQL is an advanced Object-Relational database management system (DBMS). Two bugs that can lead to buffer overflows have been found in the PostgreSQL abstract data type to ASCII conversion routines. A remote attacker who is able to influence the data passed to the to_ascii functions may be able to execute arbitrary code in the context of the PostgreSQL server. These issues affect PostgreSQL 7.2.x, and 7.3.x before 7.3.4. In addition, a bug that can lead to leaks has been found in the string to timestamp abstract data type conversion routine. If the input string to the to_timestamp() routine is shorter than what the template string is expecting, the routine will run off the end of the input string, resulting in a leak of previous timestamp behavior and unstable behavior. Fixed packages are available from updates.redhat.com.

Zebra an open source implementation of TCP/IP routing software. Jonny Robertson reported that Zebra can be remotely crashed if a Zebra password has been enabled and a remote attacker can connect to the Zebra telnet management port. Herbert Xu reported that Zebra can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. Fixed packages are available from updates.redhat.com.

The glibc packages contain GNU libc, which provides standard system libraries. A bug in the getgrouplist function can cause a buffer overflow if the size of the group list is too small to hold all the user's groups. This overflow can cause segmentation faults in user applications, which may have security implications, depending on the application in question. This vulnerability exists only when an administrator has placed a user in a number of groups larger than that expected by an application. Therefore, there is no risk in instances where users are members of few groups. Herbert Xu reported that various applications can accept spoofed messages sent on the kernel netlink interface by other users on the local machine. This could lead to a local denial of service attack. In Red Hat Linux 9 and later, the glibc function getifaddrs uses netlink and could therefore be vulnerable to this issue. Updated packages are available from updates.redhat.com.

Steve Kemp discovered a buffer overflow in the commandline and environment variable handling of omega-rpg, a text-based rogue-style game of dungeon exploration, which could lead a local attacker to gain unauthorised access to the group games. Fixed packages are available from security.debian.org.

Ethereal is a program for monitoring network traffic. A number of security issues affect Ethereal. By exploiting these issues, it may be possible to make Ethereal crash or run arbitrary code by injecting a purposefully-malformed packet onto the wire or by convincing someone to read a malformed packet trace file. Fixed packages are available from updates.redhat.com.

Hylafax is an Open Source fax server which allows sharing of fax equipment among computers by offering its service to clients by a protocol similar to FTP. The SuSE Security Team found a format bug condition during a code review of the hfaxd server. It allows remote attackers to execute arbitrary code as root. However, the bug can not be triggered in hylafax' default configuration. Fixed packages are available from ftp.suse.com.

Jeremy Nelson discovered a remotely exploitable buffer overflow in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft a reply which triggers the client to allocate a negative amount of memory. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.

Steve Kemp discovered a buffer overflow in the environment variable handling of conquest, a curses based, real-time, multi-player space warfare game, which could lead a local attacker to gain unauthorised access to the group conquest. Fixed packages are available from security.debian.org.

Tom Lane discovered a buffer overflow in the to_ascii function in PostgreSQL. This allows remote attackers to execute arbitrary code on the host running the database. Fixed packages are available from security.debian.org.

Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). Fixed packages are available from updates.redhat.com.

The fileutils package contains several basic system utilities. One of these utilities is the "ls" program, which is used to list information about files and directories. In Red Hat Linux 9, the ls program is part of the coreutils package. Georgi Guninski discovered a memory starvation denial of service vulnerability in the ls program. It is possible to make ls allocate a huge amount of memory by specifying certain command line arguments. Also, a non-exploitable integer overflow in ls has also been discovered. It is possible to make ls crash by specifying certain command line arguments. These vulnerabilities are remotely exploitable through services like wu-ftpd, which pass user arguments to ls. Fixed packages are available from updates.redhat.com.

CUPS is a print spooler. Paul Mitcheson reported a situation where the CUPS Internet Printing Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get into a busy loop. This could result in a denial of service. In order to exploit this bug an attacker would need to have the ability to make a TCP connection to the IPP port (by default 631). Fixed packages are available from updates.redhat.com.

Two vulnerabilities were found in the "tiny" web-server thttpd. The first bug is a buffer overflow that can be exploited remotely to overwrite the EBP register of the stack. Due to memory-alignment of the stack done by gcc 3.x this bug can not be exploited. All thttpd versions mentioned in this advisory are compiled with gcc 3.x and are therefore not exploitable. The other bug occurs in the virtual-hosting code of thttpd. A remote attacker can bypass the virtual-hosting mechanism to read arbitrary files. Fixed packages ftp.suse.com.

Several vulnerabilities have been discovered in thttpd, a tiny HTTP server. Marcus Breiing discovered that if thttpd it is used for virtual hosting, and an attacker supplies a specially crafted ``Host:'' header with a pathname instead of a hostname, thttpd will reveal information about the host system. Hence, an attacker can browse the entire disk. Joel Soderberg and Christer Oberg discovered a remote overflow which allows an attacker to partially overwrite the EBP register and hencely execute arbitrary code. Fixed packages are available from security.debian.org.

Aldrin Martoq has discovered a denial of service (DoS) vulnerability in Apache Tomcat 4.0.x. Sending several non-HTTP requests to Tomcat's HTTP connector makes Tomcat reject further requests on this port until it is restarted. Fixed packages are available from security.debian.org.

Steve Henson of the OpenSSL core team identified and prepared fixes for a number of vulnerabilities in the OpenSSL ASN1 code that were discovered after running a test suite by British National Infrastructure Security Coordination Centre (NISCC). A bug in OpenSSLs SSL/TLS protocol was also identified which causes OpenSSL to parse a client certificate from an SSL/TLS client when it should reject it as a protocol error. Fixed packages are available from security.debian.org.

MySQL is a multi-user, multi-threaded SQL database server. Frank Denis reported a bug in unpatched versions of MySQL prior to version 3.23.58. Passwords for MySQL users are stored in the Password field of the user table. Under this bug, a Password field with a value greater than 16 characters can cause a buffer overflow. It may be possible for an attacker with the ability to modify the user table to exploit this buffer overflow to execute arbitrary code as the MySQL user. Fixed packages are available from updates.redhat.com.

SANE is a package for using document scanners. Sane includes a daemon program (called saned) that enables a single machine connected to a scanner to be used remotely. This program contains several vulnerabilities. The IP address of the remote host is only checked after the first communication occurs, causing saned.conf restrictions to be ineffective for the first communication. A connection that is dropped early causes one of several problems. Lack of error checking can cause various other unfavorable consequences. Fixed packages are available from updates.redhat.com.

Perl is a high-level programming language commonly used for system administration utilities and Web programming. Two security issues have been found in Perl that affect the Perl packages shipped with Red Hat Linux. When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it is possible for an attacker to break out of safe compartments within Safe::reval and Safe::rdo by using a redefined @_ variable. This is due to the fact that the redefined @_ variable is not reset between successive calls. A cross-site scripting vulnerability was discovered in the start_form() function of CGI.pm. The vulnerability allows a remote attacker to insert a Web script via a URL fed into the form's action parameter. Updated packages are available from updates.redhat.com.

OpenSSL is an implementation of the Secure Socket Layer (SSL v2/3) and Transport Layer Security (TLS v1) protocol. While checking the openssl implementation with a tool-kit from NISCC several errors were revealed most are ASN.1 encoding issues that causes a remote denial-of-service attack on the server side and possibly lead to remote command execution. There are two problems with ASN.1 encoding that can be triggered either by special ASN.1 encodings or by special ASN.1 tags. In debugging mode public key decoding errors can be ignored but also lead to a crash of the verify code if an invalid public key was received from the client. A mistake in the SSL/TLS protocol handling will make the server accept client certificates even if they are not requested. This bug makes it possible to exploit the bugs mentioned above even if client authentication is disabled. There is not other solution known to this problem then updating to the current version from our FTP servers. Fixed packages are available from ftp.suse.com.

Dr. Stephen Henson (steve@openssl.org), using a test suite provided by NISCC (www.niscc.gov.uk), discovered a number of errors in the OpenSSL ASN1 code. Combined with an error that causes the OpenSSL code to parse client certificates even when it should not, these errors can cause a denial of service (DoS) condition on a system using the OpenSSL code, depending on how that code is used. For example, even though apache-ssl and ssh link to OpenSSL libraries, they should not be affected by this vulnerability. However, other SSL-enabled applications may be vulnerable and an OpenSSL upgrade is recommended. Fixed packages are available from security.debian.org.