• Go back to all articles

All articles tagged with Security

A remotely exploitable buffer overflow within the authentication code of MySQL has been reported. This allows remote attackers who have access to the 'User' table to execute arbitrary commands as mysql user. Fixed packages can be obtained from ftp.suse.com.

LSH is the GNU implementation of SSH and can be seen as an alternative to OpenSSH. Recently various remotely exploitable buffer overflows have been reported in LSH. These allow attackers to execute arbitrary code as root on un-patched systems. LSH is not installed by default on SuSE Linux. An update is therefore only recommended if you run LSH. Fixed packages can be obtained from ftp.suse.com.

Jens Steube reported two vulnerabilities in webfs, a lightweight HTTP server for static content. When virtual hosting is enabled, a remote client could specify ".." as the hostname in a request, allowing retrieval of directory listings or files above the document root. A long pathname could overflow a buffer allocated on the stack, allowing execution of arbitrary code. In order to exploit this vulnerability, it would be necessary to be able to create directories on the server in a location which could be accessed by the web server. Fixed packages are available from security.debian.org.

Steve Kemp discovered a buffer overflow in freesweep, when processing several environment variables. This vulnerability could be exploited by a local user to gain gid 'games'. Fixed packages are available from security.debian.org.

Steve Kemp discovered a buffer overflow in marbles, when processing the HOME environment variable. This vulnerability could be exploited by a local user to gain gid 'games'. Fixed packages are available from security.debian.org.

Perl is a high-level programming language commonly used for system administration utilities and Web programming. Two security issues have been found in Perl that affect the Perl packages shipped with Red Hat Linux. When safe.pm versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it is possible for an attacker to break out of safe compartments within Safe::reval and Safe::rdo by using a redefined @_ variable. This is due to the fact that the redefined @_ variable is not reset between successive calls. A cross-site scripting vulnerability was discovered in the start_form() function of CGI.pm. The vulnerability allows a remote attacker to insert a Web script via a URL fed into the form's action parameter. Updated packages are available from updates.redhat.com.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl which can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. It is possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds a new LimitInternalRecursion directive. Updated packages are available from updates.redhat.com.

ipmasq is a package which simplifies configuration of Linux IP masquerading, a form of network address translation which allows a number of hosts to share a single public IP address. Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host would be forwarded, regardless of whether it was associated with an established connection. This vulnerability could be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed. Fixed packages are available from security.debian.org.

sendmail is the most widely used mail transport agent (MTA) in the internet. A remotely exploitable buffer overflow has been found in all versions of sendmail that come with SuSE products. These versions include sendmail-8.11 and sendmail-8.12 releases. sendmail is the MTA subsystem that is installed by default on all SuSE products up to and including SuSE Linux 8.0 and the SuSE Linux Enterprise Server 7. Fixed packages are available from ftp.suse.com.

Two vulnerabilities were discovered in kdebase. KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. Fixed packages are available from security.debian.org.

gopherd, a gopher server from the University of Minnesota, contains a number of buffer overflows which could be exploited by a remote attacker to execute arbitrary code with the privileges of the gopherd process (the "gopher" user by default). Fixed packages are available from security.debian.org.

The SuSE security team discovered during an audit that the Mail::Mailer module, a Perl module used for sending email, whereby potentially untrusted input is passed to a program such as mailx, which may interpret certain escape sequences as commands to be executed. Fixed packages are available from security.debian.org.

Jens Steube reported a pair of buffer overflow vulnerabilities in hztty, a program to translate Chinese character encodings in a terminal session. These vulnerabilities could be exploited by a local attacker to gain root privileges on a system where hztty is installed. Additionally, hztty had been incorrectly installed setuid root, when it only requires the privileges of group utmp. This has also been corrected in this update. Fixed packages are available from security.debian.org.

Two vulnerabilities were reported in sendmail. A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. Fixed packages are available from security.debian.org.

Sendmail is a widely used Mail Transport Agent (MTA) and is included in all Red Hat Linux distributions. Michal Zalewski found a bug in the prescan() function of unpatched Sendmail versions prior to 8.12.10. The sucessful exploitation of this bug can lead to heap and stack structure overflows. Although no exploit currently exists, this issue is locally exploitable and may also be remotely exploitable. Updated packages are available from updates.redhat.com.

The openssh package is the most widely used implementation of the secure shell protocol family (ssh). It provides a set of network connectivity tools for remote (shell) login, designed to substitute the traditional BSD-style r-protocols (rsh, rlogin). openssh has various authentification mechanisms and many other features such as TCP connection and X11 display forwarding over the fully encrypted network connection as well as file transfer facilities. A programming error has been found in code responsible for buffer management. If exploited by a (remote) attacker, the error may lead to unauthorized access to the system, allowing the execution of arbitrary commands. The error is known as the buffer_append_space()-bug. Fixed packages are available from ftp.suse.com.

A bug has been found in OpenSSH's buffer handling where a buffer could be marked as grown when the actual reallocation failed. This bug has been fixed in upstream version 3.7. For the Debian stable distribution this bug has eeb fixed in version 1:3.4p1-1.1. Fixed packages are available from security.debian.org.

OpenSSH is a suite of network connectivity tools that can be used to establish encrypted connections between systems on a network and can provide interactive login sessions and port forwarding, among other functions. The OpenSSH team has announced a bug which affects the OpenSSH buffer handling code. This bug has the potential of being remotely exploitable. Updated packages are available from updates.redhat.com.

KDE is a graphical desktop environment for the X Window System. KDE between versions 2.2.0 and 3.1.3 inclusive contain a bug in the KDE Display Manager (KDM) when checking the result of a pam_setcred() call. If an error condition is triggered by the installed PAM modules, KDM might grant local root access to any user with valid login credentials. Updated packages are available from updates.redhat.com.

MySQL, a popular relational database system, contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql"). Since the "mysql" database is used for MySQL's internal record keeping, by default the mysql administrator "root" is the only user with permission to alter its tables. Fixed packages are available from security.debian.org.

Four vulnerabilities have been discovered in XFree86. The xterm window title reporting escape sequence can deceive user, xterm is susceptible to a DEC UDK escape sequence denial-of-service attack, a flaw in X server's MIT-SHM extension permits user owning X session to read and write arbitrary shared memory segments, and multiple integer overflows exist in the font libraries for XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. Fixed packages are available from security.debian.org.

Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several security-related problems in the sane-backends package, which contains an API library for scanners including a scanning daemon (in the package libsane) that can be remotely exploited. Thes problems allow a remote attacker to cause a segfault fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. Fixed packages are available from security.debian.org.

The well known and widely used mail client pine is vulnerable to a buffer overflow. The vulnerability exists in the code processing 'message/external-body' type messages. It allows remote attackers to execute arbitrary commands as the user running pine. Additionally an integer overflow in the MIME header parsing code has been fixed. Fixed packages are available from ftp.suse.com.

Pine, developed at the University of Washington, is a tool for reading, sending, and managing electronic messages (including mail and news). A buffer overflow exists in the way unpatched versions of Pine prior to 4.57 handle the 'message/external-body' type. An integer overflow exists in the Pine MIME header parsing in versions prior to 4.57. Fixed packages are available from updates.redhat.com.

GtkHTML is the HTML rendering widget used by the Evolution mail reader. Versions of GtkHTML prior to 1.1.10 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash due to a null pointer dereference in the GtkHTML library. Fixed packages are available from updates.redhat.com.

Nicolas Boullis discovered two vulnerabilities in mah-jong, a network-enabled game. One vulnerability could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server. The second vulnerability could be exploited by a remote attacker to cause the mah-jong server to enter a tight loop and stop responding to commands. Fixed packages are available from security.debian.org.

A buffer overflow exists in exim, which is the standard mail transport agent in Debian. By supplying a specially crafted HELO or EHLO command, an attacker could cause a constant string to be written past the end of a buffer allocated on the heap. This vulnerability is not believed at this time to be exploitable to execute arbitrary code. Fixed packages are available from security.debian.org.

wu-ftpd, an FTP server, implements a feature whereby multiple files can be fetched in the form of a dynamically constructed archive file, such as a tar archive. The names of the files to be included are passed as command line arguments to tar, without protection against them being interpreted as command-line options. GNU tar supports several command line options which can be abused, by means of this vulnerability, to execute arbitrary programs with the privileges of the wu-ftpd process. Fixed packages are available from security.debian.org.

The Apache HTTP server is a powerful, full-featured, efficient, and freely-available Web server. Ben Laurie found a bug in the optional renegotiation code in mod_ssl included with Apache 2 versions 2.0.35 through 2.0.46 that can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. Yoshioka Tsuneo found that unpatched versions of Apache 2 versions 2.0.35 to 2.0.46 have a bug that can cause a remote Denial of Service. When a client requests that proxy ftp connect to a ftp server with an IPv6 address, and the proxy is unable to create an IPv6 socket, an infinite loop occurs. Saheed Akhtar found that unpatched Apache 2 versions 2.0.35 through 2.0.46 have a bug in the prefork MPM when handling accept errors. In a server with multiple listening sockets, a certain error returned by accept() on a rarely-accessed port can cause a temporary denial of service. It is possible for Apache 2 to get into an infinite loop handling internal redirects and nested subrequests. A patch for this issue adds the new LimitInternalRecursion directive. Fixed packages are available from updates.redhat.com.

The PAM module (and server) pam_smb allows users of Linux systems to be authenticated by querying an NT server. Dave Airlie informed the SuSE security team about a bug in the authentication code of pam_smb that allows a remote attacker to gain access to a system using pam_smb by issuing a too long password string. Fixed packages are available from ftp.suse.com.