• Go back to all articles

All articles tagged with Security

A buffer overflow has been discovered in lpr, a BSD lpr/lpd line printer spooling system. This problem can be exploited by a local user to gain root privileges, even if the printer system is set up properly. Fixed packages are available from security.debian.org.

Mutt is a text-based Mail User Agent (MUA). The IMAP-code of mutt is vulnerable to a buffer overflow that can be exploited by a malicious IMAP-server to crash mutt or even execute arbitrary code with the privileges of the user running mutt. Fixed packages are available from ftp.suse.com.

Several vulnerabilities have been discovered in krb5, an implementation of MIT Kerberos. A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. The MIT Kerberos 5 implementation includes an RPC library derived from SUNRPC. The implementation contains length checks, that are vulnerable to an integer overflow, which may be exploitable to create denials of service or to gain unauthorized access to sensitive information. Buffer overrun and underrun problems exist in Kerberos principal name handling in unusual cases, such as names with zero components, names with one empty component, or host-based service principal names with no host name component. Fixed packages are available from security.debian.org.

Ethereal is a GUI for analyzing and displaying network traffic. Ethereal is vulnerable to a format string bug in it's SOCKS code and to a heap buffer overflow in it's NTLMSSP code. These bugs can be abused to crash ethereal or maybe to execute arbitrary code on the machine running ethereal. Fixed packages are available from ftp.suse.com.

Rémi Perrot fixed several security related bugs in the bonsai, the Mozilla CVS query tool by web interface. Vulnerabilities include arbitrary code execution, cross-site scripting and access to configuration parameters. Fixed packages are available from security.debian.org.

The Post-Office-Protocol- (POP-) Server qpopper (version 4) was vulnerable to a buffer overflow. The buffer overflow occurs after authentication has taken place. Therefore pop-users with a valid account can execute arbitrary code on the system running qpopper. Depending on the setup, the malicious code is run with higher privileges. Fixed packages are available from ftp.suse.com.

The file command can be used to determine the type of files. iDEFENSE published a security report about a buffer overflow in the handling-routines for the ELF file-format. In conjunction with other mechanisms like print-filters, cron-jobs, eMail-scanners (like AMaViS) and alike this vulnerability can be used to gain higher privileges or to compromise the system remotely. Fixed packages are available from ftp.suse.com.

Evolution is a GNOME-based collection of personal information management (PIM) tools. Multiple vulnerabilities have been found in the Ximian Evolution email client. These vulnerabilities make it possible for a carefully crafted email to crash the program, cause general system instability through resource starvation and get around security measures implemented within the program. Fixed packages are available from updates.redhat.com.

The Linux kernel handles the basic functions of the operating system. A bug in the kernel module loader code allows a local user to gain root privileges. Additionally, multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets and the Linux 2.2 kernel allows local users to cause a denial of service (crash) by using the mmap() function with a PROT_READ parameter to access non-readable memory pages through the /proc/pid/mem interface. Fixed packages are available from updates.redhat.com.

The glibc package contains standard libraries that are used by multiple programs on the system. Sun RPC is a remote procedure call framework that allows clients to invoke procedures in a server process over a network. XDR is a mechanism for encoding data structures for use with RPC. Glibc contains an XDR encoder/decoder derived from Sun's RPC implementation, which was demonstrated to be vulnerable to an integer overflow. Additionally, an integer overflow is present in the xdrmem_getbytes() function of glibc 2.3.1 and earlier. Depending upon the application, this vulnerability could cause buffer overflows and may be exploitable leading to arbitrary code execution. Fixed packages are available from updates.redhat.com.

Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients. Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could exploit the vulnerability to gain root access on the target machine. Additionally, a race condition was discovered which could allow an attacker to overwrite critical system files. Fixed packages are available from updates.redhat.com.

Upstream developers of lxr, a general hypertext cross-referencing tool, have been alerted of a vulnerability that allows a remote attacker to read arbitrary files on the host system as user www-data. This could disclose local files that were not meant to be shared with the public. Fixed packages are available from security.debian.org.

Sebastian Krahmer, SuSE Security Team, reviewed security-critical parts of the Samba server within the scope of security audits that the SuSE Security Team conducts on a regular basis for security-critical Open Source Software. Buffer overflows and a chown race condition have been discovered and fixed during the security audit. The buffer overflow vulnerabilitiy allows a remote attacker to execute arbitrary commands as root on the system running samba. In addition to the flaws fixed in the samba server, some overflow conditions in the samba-client package have been fixed with the available update packages. It is strongly recommended to install the update packages on a system where the samba package is used. Fixed packages are available from ftp.suse.com.

Al Viro and Alan Cox discovered several maths overflow errors in NetPBM, a set of graphics conversion tools. These programs are not installed setuid root but are often installed to prepare data for processing. These vulnerabilities may allow remote attackers to cause a denial of service or execute arbitrary code. Fixed packages are available from security.debian.org.

The Linux kernel handles the basic functions of the operating system. A vulnerability has been found in version 2.4.18 of the kernel. This vulnerability makes it possible for local users to gain elevated (root) privileges without authorization. This advisory deals with updates to Red Hat Linux 7.1, 7.2, 7.3, and 8.0. Fixed packages are available from updates.redhat.com.

Rxvt is a color VT102 terminal emulator for the X Window System. A number of issues have been found in the escape sequence handling of Rxvt. These could be potentially exploited if an attacker can cause carefully crafted escape sequences to be displayed on a rxvt terminal being used by their victim. Fixed packages are available from updates.redhat.com.

Gnome-lokkit is a utility that provides firewalling for the average Linux end user based on responses to a small number of simple questions. Red Hat made modifications to Gnome-lokkit to support firewalls based on iptables instead of ipchains. In Red Hat Linux 8.0, the iptables ruleset created by Gnome-lokkit did not place any rules on the FORWARD chain. This is a security vulnerability if an administrator enables packet forwarding and uses an unmodified ruleset created by the Gnome-lokkit tool. Fixed packages are available from updates.redhat.com.

Sebastian Krahmer of the SuSE security audit team found two problems in samba, a popular SMB/CIFS implementation. The problems are a buffer overflow in the SMB/CIFS packet fragment re-assembly code used by smbd. Since smbd runs as root an attacker can use this to gain root access to a machine running smbd.Also, the code to write reg files was vulnerable for a chown race which made it possible for a local user to overwrite system files. Fixed packages are available from security.debian.org.

A problem has been discovered in tcpdump, a powerful tool for network monitoring and data acquisition. An attacker is able to send a specially crafted RADIUS network packet which causes tcpdump to enter an infinite loop. Fixed packages are available from security.debian.org.

iDEFENSE discovered a buffer overflow vulnerability in the ELF format parsing of the "file" command, one which can be used to execute arbitrary code with the privileges of the user running the command. The vulnerability can be exploited by crafting a special ELF binary which is then input to file. This could be accomplished by leaving the binary on the file system and waiting for someone to use file to identify it, or by passing it to a service that uses file to classify input. (For example, some printer filters run file to determine how to process input going to a printer.) Fixed packages are available from security.debian.org.

The network traffic analyzer tool tcpdump is vulnerable to a denial-of-service condition while parsing ISAKMP or BGP packets. This bug can be exploited remotely by an attacker to stop the use of tcpdump for analyzing network traffic for signs of security breaches or alike. Another bug may lead to system compromise due to the handling of malformed NFS packets send by an attacker. Please note, that tcpdump drops root privileges right after allocating the needed raw sockets. Fixed packages are available from ftp.suse.com.

The network traffic analyzer tool tcpdump is vulnerable to a denial-of-service condition while parsing ISAKMP or BGP packets. This bug can be exploited remotely by an attacker to stop the use of tcpdump for analyzing network traffic for signs of security breaches or alike. Another bug may lead to system compromise due to the handling of malformed NFS packets send by an attacker. Please note, that tcpdump drops root privileges right after allocating the needed raw sockets. Fixed packages are available from ftp.suse.com.

The lprm command of the printing package lprold shipped till SuSE 7.3 contains a buffer overflow. This buffer overflow can be exploited by a local user, if the printer system is set up correctly, to gain root privileges. lprold is installed as default package and has the setuid bit set. Fixed packages are available from ftp.suse.com.

Florian Heinz posted to the Bugtraq mailing list an exploit for qpopper based on a bug in the included vsnprintf implementation. The sample exploit requires a valid user account and password, and overflows a string in the pop_msg() function to give the user "mail" group privileges and a shell on the system. Since the Qvsnprintf function is used elsewhere in qpopper, additional exploits may be possible. Fixed packages are available from security.debian.org.

Georgi Guninski discovered a problem in ethereal, a network traffic analyzer. The program contains a format string vulnerability that could probably lead to execution of arbitrary code. Fixed packages are available from security.debian.org.

The file command is used to identify a particular file according to the type of data contained in the file. The file utility before version 3.41 contains a buffer overflow vulnerability in the ELF parsing routines. This vulnerability may allow an attacker to create a carefully crafted binary which can allow arbitrary code to be run if a victim runs the 'file' command on that binary. Fixed packages are available from updates.redhat.com.

Internet Message (IM) is a series of user interface commands and backend Perl5 libraries that integrate email and the NetNews user interface. They are designed to be used from both the Mew mail reader for Emacs and the command line. A vulnerability has been discovered by Tatsuya Kinoshita in the way two IM utilities create temporary files. By anticipating the names used to create files and directories stored in /tmp, it may be possible for a local attacker to corrupt or modify data as another user. Fixed packages are available from updates.redhat.com.

OpenSSL is a commercial-grade, full-featured, and open source toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. In a paper, Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin Vuagnoux describe and demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS. An active attacker may be able to use timing observations to distinguish between two different error cases: cipher padding errors and MAC verification errors. Over multiple connections this can leak sufficient information to make it possible to retrieve the plaintext of a common, fixed block. Fixed packages are available from updates.redhat.com.

SquirrelMail is a webmail package written in PHP. Two vulnerabilities have been found that affect versions of SquirrelMail shipped with Red Hat Linux 8.0. A cross-site scripting (XSS) vulnerability in Squirrelmail version 1.2.10 and earlier allows remote attackers to execute script as other web users via read_body.php. An incomplete fix for a cross-site scripting vulnerability in SquirrelMail 1.2.8 calls the strip_tags function on the PHP_SELF value but does not save the result back to that variable, leaving it open to cross-site scripting attacks. Fixed packages are available from updates.redhat.com.

Mark Dowd of ISS X-Force found a bug in the header parsing routines of sendmail: it could overflow a buffer overflow when encountering addresses with very long comments. Since sendmail also parses headers when forwarding emails this vulnerability can hit mail-servers which do not deliver the email as well. Fixed packages are available from security.debian.org.