All articles

Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root. Fixed packages are available from security.debian.org.

The mysql package contains a bug whereby dynamically allocated memory is freed more than once, which could be deliberately triggered by an attacker to cause a crash, resulting in a denial of service condition. In order to exploit this vulnerability, a valid username and password combination for access to the MySQL server is required. Also, the package contains a bug whereby a malicious user, granted certain permissions within mysql, could create a configuration file which would cause the mysql server to run as root, or any other user, rather than the mysql user. Fixed packages are available from security.debian.org.

Tcpdump is a command-line tool for monitoring network traffic. The Red Hat tcpdump packages advertise that by default tcpdump will drop permissions to user 'pcap'. Due to a compilation error this did not happen, and tcpdump would run as root unless the '-U' flag was specified. Fixed packages are available from updates.redhat.com.

The Linux kernel handles the basic functions of the operating system. A flaw has been found in several hash table implementations in the kernel networking code. A remote attacker could send packets with carefully chosen, forged source addresses in such a way as to make every routing cache entry get hashed into the same hash chain. The result would be that the kernel would use a disproportionate amount of processor time to deal with new packets, resulting in a remote denial of service attack. A flaw has been found in the "ioperm" system call, which fails to properly restrict privileges. This flaw can allow an unprivileged local user to gain read and write access to I/O ports on the system. Fixed packages are available from updates.redhat.com.

KDE is a graphical desktop environment for the X Window System. KDE fails in multiple places to properly quote URLs and file names before passing them to a command shell. This could allow remote attackers to execute arbitrary commands via carefully crafted URLs, filenames, or email addresses. KDE versions up to and including KDE 3.1.1 have a vulnerability caused by -dSAFER not being used when previewing in Konquerer. An attacker can prepare a malicious PostScript or PDF file which provides the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. Fixed packages are available from updates.redhat.com.

Xinetd is a 'master server' that is used to to accept service connection requests and start the appropriate servers. Because of a programming error, memory was allocated and never freed if a connection was refused for any reason. An attacker could exploit this flaw to crash the xinetd server, rendering all services it controls unavaliable. In addition, other flaws in xinetd could cause incorrect operation in certain unusual server configurations. Fixed packages are available from updates.redhat.com.

Qt is known as a cross-platform graphical user interface toolkit. It is that, but it's also a toolkit for dealing with databases, file access, sockets, and much more. This article concerns the Qt object model and why it is an improvement over the classic C++ model.

Joey Hess discovered that fuzz, a software stress-testing tool, creates a temporary file without taking appropriate security precautions. This bug could allow an attacker to gain the privileges of the user invoking fuzz, excluding root (fuzz does not allow itself to be invoked as root). Fixed packages are available from security.debian.org.

The gtop daemon, used for monitoring remote machines, contains a buffer overflow which could be used by an attacker to execute arbitrary code with the privileges of the daemon process. If started as root, the daemon process drops root privileges, assuming uid and gid 99 by default. Fixed packages are available from security.debian.org.

Maurice Massar discovered that, due to a packaging error, the program /usr/bin/KATAXWR was inadvertently installed setuid root. This program was not designed to run setuid, and contained multiple vulnerabilities which could be exploited to gain root privileges. Fixed packages are available from security.debian.org.

Byrial Jensen discovered a couple of off-by-one buffer overflow in the IMAP code of Mutt, a text-oriented mail reader supporting IMAP, MIME, GPG, PGP and threading. This code is imported in the Balsa package. This problem could potentially allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder. Fixed packages are available from security.debian.org.

Timo Sirainen discovered several problems in EPIC4, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.

mod_auth_any is a Web server module that allows the Apache httpd server to call arbitrary external programs to verify user passwords. Vulnerabilities have been found in the way mod_auth_any escapes shell arguments when calling external programs. Versions of mod_auth_any included in Red Hat Linux 7.2 and 7.3 are affected. These vulnerabilities allow remote attackers to run arbitrary commands as the user under which the Web server is running. Fixed packages are available from updates.redhat.com.

Two vulnerabilities have been discoverd in Snort, a popular network intrusion detection system. Snort comes with modules and plugins that perform a variety of functions such as protocol analysis. Researchers have discovered a remotely exploitable inteter overflow that results in overwriting the heap in the "stream4" preprocessor module as well as a remotely exploitable buffer overflow in the Snort RPC preprocessor module. Fixed packages are available from security.debian.org.

The man package includes tools for finding and displaying online documentation. Versions of man before 1.51 have a bug where a malformed man file can cause a program named "unsafe" to be run. To exploit this vulnerability a local attacker would need to be able to get a victim to run man on a carefully crafted man file, and for the attacker to be able to create a file called "unsafe" that will be on the victims default path. Fixed packages are available from updates.redhat.com.

The KDE team discoverd a vulnerability in the way KDE uses Ghostscript software for processing of PostScript (PS) and PDF files. An attacker could provide a malicious PostScript or PDF file via mail or websites that could lead to executing arbitrary commands under the privileges of the user viewing the file or when the browser generates a directory listing with thumbnails. Fixed packages are available from security.debian.org.

Timo Sirainen discovered a vulnerability in pptpd, a Point to Point Tunneling Server, which implements PPTP-over-IPSEC and is commonly used to create Virtual Private Networks (VPN). By specifying a small packet length an attacker is able to overflow a buffer and execute code under the user id that runs pptpd, probably root. An exploit for this problem is already circulating. Fixed packages are available from security.debian.org.

MySQL is a multi-user, multi-threaded SQL database server. A double-free vulnerability in mysqld, for MySQL before version 3.23.55, allows attackers with MySQL access to cause a denial of service (crash) by creating a carefully crafted client application. Also, MySQL 3.23.55 and earlier creates world-writable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart. Fixed packages are available from updates.redhat.com.

Zlib is a general-purpose, patent-free, lossless data compression library used by many different programs. The function gzprintf within zlib, when called with a string longer than Z_PRINTF_BUFZISE (= 4096 bytes), can overflow without giving a warning. zlib-1.1.4 and earlier exhibit this behavior. There are no known exploits of the gzprintf overrun, and only a few programs, including rpm2html and gimp-print, are known to use the gzprintf function. The problem has been fixed by checking the length of the output string within gzprintf. Fixed packages are available from updates.redhat.com.

Ever since I first stayed up late watching an 8-bit computer painstakingly draw a Mandelbrot set, I've been fascinated by fractals. Of course, I had to write a fractal-generating program of my own straight away; the combination of the amazingly simple math required to produce the Mandelbrot set and the amazing graphics that came out was irresistible. Clearly, I'm not alone; every programmer with even the slightest interest in math writes a fractal program at some point, and a good number of these are now available as Open Source. Here's a brief, opinionated, and decidedly non-exhaustive survey of some of the programs I've found.

mICQ is an online messaging and conferencing program. mICQ versions 0.4.9 and earlier allow remote attackers to cause a denial of service (crash) using malformed ICQ message types without a 0xFE separator character. Fixed packages are available from updates.redhat.com.

LPRng is a print spooler. LPRng includes a program, psbanner, that can be used to produce Postscript banner pages to separate print jobs. A vulnerability has been found in psbanner, which creates a temporary file with a known filename in an insecure manner. An attacker could create a symbolic link and cause arbitrary files to be written as the 'lp' user. Fixed packages are available from updates.redhat.com.

SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities have been found which affect versions of SquirrelMail shipped with Red Hat Linux 8.0 and Red Hat Linux 9. Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and earlier allow remote attackers to execute script as other Web users via mailbox displays, message displays, or search results displays. Fixed packages are available from updates.redhat.com.

The K Desktop Environment KDE allows to generate postscript previews which can be viewed via certain konqueror plug-ins for example. The previews are generated by invoking the ghostscript program but without supplying the "-dSAFER" option as an argument. This allows embedded code to be executed. Additionally to the correction made to the postscript generation process, various other security related bug fixes and patches from KDE 3.0.5a have been incorporated. Fixed packages are available from ftp.suse.com.

Ethereal is a package designed for monitoring network traffic on your system. Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via carefully crafted SOCKS packets. Additionally, a heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. Fixed packages are available from updates.redhat.com.

Brian Campbell discovered two security-related problems in gkrellm-newsticker, a plugin for the gkrellm system monitor program, which provides a news ticker from RDF feeds. It can launch a web browser of the user's choice when the ticker title is clicked by using the URI given by the feed. However, special shell characters are not properly escaped enabling a malicious feed to execute arbitrary shell commands on the clients machine. Also, it crashes the entire gkrellm system on feeds where link or title elements are not entirely on a single line. A malicious server could therefore craft a denial of service. Fixed packages are available from security.debian.org.

tcpdump is a command-line tool for monitoring network traffic. The BGP decoding routines in tcpdump before 3.6.2 used incorrect bounds checking when copying data, which allows remote attackers to cause a denial of service and possibly execute arbitrary code (as the 'pcap' user). The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0. This causes tcpdump to generate data within an infinite loop. A vulnerability in tcpdump before 3.7.2 is related to an inability to handle unknown RADIUS attributes properly, and allows remote attackers to cause a denial of service (infinite loop). Fixed packages are available from updates.redhat.com. The ISAKMP parser in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a malformed ISAKMP packet to UDP port 500, causing tcpdump to enter an infinite loop.

The KDE team discoverd a vulnerability in the way KDE uses Ghostscript software for processing of PostScript (PS) and PDF files. An attacker could provide a malicious PostScript or PDF file via mail or websites that could lead to executing arbitrary commands under the privileges of the user viewing the file or when the browser generates a directory listing with thumbnails. Fixed packages are available from security.debian.org.

Colin Phipps discovered several problems in mime-support, that contains support programs for the MIME control files 'mime.types' and 'mailcap'. When a temporary file is to be used it is created insecurely, allowing an attacker to overwrite arbitrary under the user id of the person executing run-mailcap, most probably root. Additionally the program did not properly escape shell escape characters when executing a command. This is unlikely to be exploitable, though. Fixed packages are available from security.debian.org.

Timo Sirainen discovered several problems in ircII, a popular client for Internet Relay Chat (IRC). A malicious server could craft special reply strings, triggering the client to write beyond buffer boundaries. This could lead to a denial of service if the client only crashes, but may also lead to executing of arbitrary code under the user id of the chatting user. Fixed packages are available from security.debian.org.