While performing tests on the gdk-pixbuf library, Matthias Clasen created an invalid PNG image that caused libpng to crash. Upon further investigation, this turned out to be a bug in zlib 1.1.3 where certain types of input will cause zlib to free the same area of memory twice (called a "double free"). This bug can be used to crash any program that takes untrusted compressed input. Web browsers or email programs that display image attachments or other programs that uncompress data are particularly affected. This vulnerability makes it easy to perform various denial-of-service attacks against such programs. Fixed packages are available from updates.redhat.com
Ed Moyle recently found a buffer overflow in Apache-SSL and mod_ssl. With session caching enabled, mod_ssl will serialize SSL session variables to store them for later use. These variables were stored in a buffer of a fixed size without proper boundary checks. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client
certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. Fixed packages are available from security.debian.org
I've set up two Beowulfs so far, and in both cases it involved
gathering material from various Web sites and somehow putting it all
together. I got everything up and running, but it was quite a "time
sink" for me, so I was interested to receive a book entitled "How to
Build a Beowulf". Finally, information regarding Beowulfs would be
available in one place and I could save my bandwidth for other stuff!
Joost Pol reports that OpenSSH versions 2.0 through 3.0.2 have an off-by-one bug in the channel allocation code. This vulnerability can be exploited by authenticated users to gain root privilege or by a malicious server exploiting a client with this bug. Since Debian 2.2 (potato) shipped with OpenSSH (the "ssh" package) version 1.2.3, it is not vulnerable to this exploit. No fix is required for Debian 2.2 (potato).
Joost Pol has discovered an off-by-one error in all versions of the OpenSSH
daemon (sshd) prior to version 3.1. This issue could allow an authenticated user to cause sshd to corrupt its heap, potentially allowing arbitrary code to be executed on the remote server. Alternatively, a malicious SSH server could be crafted to attack a vulnerable OpenSSH client. Fixed packages are available from updates.redhat.com
When session caching is enabled, mod_ssl will serialize SSL session variables to store them for later use. Unpatched versions of mod_ssl prior to version 2.8.7 which use the 'shm' or 'dbm' session caches would store session variables using a buffer with a fixed size, making it vulnerable to overflow. To exploit the overflow, the server must be configured to require client certificates, and an attacker must obtain a carefully crafted client certificate that has been signed by a Certificate Authority which is trusted by the server. If these conditions are met, it would be possible for an attacker to execute arbitrary code on the server. Fixed packages are available from updates.redhat.com
Joost Pol discovered an off-by-one bug in a routine in the openssh code for checking channel IDs. This bug can be exploited on the remote side by an already authenticated user, qualifying this bug as a local security vulnerability, and on the local side if a malicious server attacks the connected client, qualifying this bug as a remote vulnerability. If the error is being exploited, it leads to arbitrary code execution in the process under attack (either a local ssh client, attacking the userID of the client user, or a remote secure shell daemon that has an authenticated user session running, attacking the root account of the remote system). Fixed packages can be obtained from ftp.suse.com
The widely used proxy-server squid contains a heap overflow in one of its URL constructing functions. Incorrect length-calculations for the user and passwd fields in ftp-URLs turned out to be the origin of the problem. Only users from hosts listed in squids ACL-files could trigger the overflow. The ftp-URL problem is not present in the 6.4, 7.0 and 7.1 distributions, but other security releated bugs have been fixed there. Fixed packages can be obtained from ftp.suse.com
Tim Waugh found several insecure uses of temporary files in the xsane program, which is used for scanning. This was fixed for Debian/stable by moving those files into a securely created directory within the /tmp directory. Fixed packages are available from security.debian.org
Kim Nielsen recently found an internal problem with the CVS server and reported it to the vuln-dev mailing list. The problem is triggered by an improperly initialized global variable. A user exploiting this can crash the CVS server, which may be accessed through the pserver service and running under a remote user id. It is not yet clear if the remote account can be exposed, through. Fixed packages are available from security.debian.org
Zorgon found several buffer overflows in cfsd, a daemon that pushes encryption services into the Unix(tm) file system. We are not yet sure if these overflows can successfully be exploited to gain root access to the machine running the CFS daemon. However, since cfsd can easily be forced to die, a malicious user can easily perform a denial of service attack to it. Fixed packages are available from security.debian.org
Stefan Esser, who is also a member of the PHP team, found several flaws in the way PHP handles multipart/form-data POST requests (as described in RFC1867) known as POST fileuploads. Each of the flaws could allow an attacker to execute arbitrary code on the victim's system. For PHP3 flaws contain a broken boundary check and an arbitrary heap overflow. For PHP4 they consist of a broken boundary check and a heap off by one error. Fixed packages are available from security.debian.org
A couple of years ago, I experienced the worst form of Repetitive
Stress Injury, leading up to the dreaded Carpal Tunnel Syndrome. I
responded by reducing my time with the keyboard, using ergonomic
gadgets, following every bit of advice I could find, seeking medical
help, adopting voice recognition software, and undergoing physical
therapy, none of which provided a lasting solution. Not to be content,
I kept looking for a permanent cure. Eventually, I found the cure in
Muscle Learning Therapy, which brought about a remarkable recovery.
In this article, I recount the experience of living through the
trauma, despair, and recovery.
The e-matters team have found multiple remotely exploitable vulnerabilites in the source code responsible for file upload in the apache modules mod_php and mod_php4 (versions 3 and 4). The weakness can be used to have the webserver execute arbitrary code as supplied by the attacker. Fixed packages are available from ftp.suse.com
Updated PHP packages are available to fix vulnerabilities in the functions that parse multipart MIME data, which are used when uploading files through forms. Updates can be found on updates.redhat.com
New squid packages are available that fix various vulnerabilities. Some of these vulnerabilities could be used to perform a denial of service (DoS) attack or allow remote users to execute code as the user squid. They are available through updates.redhat.com
The well known Common Unix Printing System (CUPS) was found vulnerable to a buffer overflow in the Internet Printing Protocol (IPP) handling code. The buffer overflow could be exploited by a remote attacker as long as their IP address is allowed to connect to the CUPS server. Fixed packages are available from ftp.suse.com
I finally got around to reading the book everyone told me not to
bother with, and had a pleasant surprise, as I expected I might.
While I'll admit that it's heavy going at times, it's also sadly
underrated and misunderstood.
The ncurses library provides a terminal-independent method of screen handling. A problem has been found in ncurses version 5.0 that could cause a buffer overflow. This overflow could be locally exploited if the library is
linked into a program that runs setuid or setgid. Red Hat Linux ships with a compatibility package 'ncurses4' that is actually based on ncurses version 5.0 but has been made ABI compatible with ncurses 4. No programs that ship with Red Hat Linux are exploitable. A program could only be exploited if it uses the ncurses 4 compatiblity package and if it is run setuid or setgid. Fixed packages are available from updates.redhat.com
Thomas Springer found a vulnerability in GNUJSP, a Java servlet that allows you to insert Java source code into HTML files. The problem can be used to bypass access restrictions in the web server. An attacker can view the contents of directories and download files directly rather then receiving their HTML output. This means that the source code of scripts could also be revealed. Fixed packages are available from security.debian.org
Several buffer overflows were fixed in the "ncurses" library in November 2000. Unfortunately, one was missed. This can lead to crashes when using ncurses applications in large windows. Fixed packages can be obtained from security.debian.org
A set of buffer overflow problems have been found in hanterm, a Hangul terminal for X11 derived from xterm, that will read and display Korean characters in its terminal window. The font handling code in hanterm uses hard limited string variables but didn't check for boundaries. This problem can be exploited by a malicious user to gain access to the utmp group which is able to write the wtmp and utmp files. These files record login and logout activities. Fixed packages are available from security.debian.org
Unix is steadily evolving into something much easier to use. The trick
is to find tools that make things friendlier, but which fit in well
with existing tools and are easier for people to take and use for new
The Secure Programming Group of the Oulu University did a study on SNMP implementations and uncovered multiple problems which can cause problems ranging from Denial of Service attacks to remote exploits. Fixed packages are available from security.debian.org
The authors of CUPS, the Common UNIX Printing System, have found a potential buffer overflow bug in the code of the CUPS daemon where it reads the names of attributes. This affects all versions of CUPS. Fixed packages are available from security.debian.org
The Simple Network Management Protocol (SNMP) enables monitoring and configuration of network nodes. The Oulu University Secure Programming Group performed a vulnerability assessment of various SNMP implementations through syntax testing and test-suite creation. Updated packages are available from updates.redhat.com
The test-suite showed several failures in the ucd-snmp tools in version
4.2.2 and earlier. These vulnerabilities can cause denial-of-service
conditions, service interruptions, and in some cases could result in a
remote security breach.
A server running the latest version of at could have commands that depend on the current environment (for example, the PATH) which would then fail or run incorrectly because the environment would not be accessible when the command was executed at a later time. Additionally, in versions of Red Hat Linux prior to 7.2 a malicious local user could specify an execution time is in a carefully drafted format causing a heap corruption bug. Since the at command is installed as setuid
root this bug can be exploited. Fixed packages are available from updates.redhat.com
So, you want to write software? Don't forget that you'll need to
build or package it, test it, fix some stuff, test it again, and
ultimately release it... somehow. The "somehow" is the art and
science of Build and Release Management.
Zenith Parsec discovered a security hole in Taylor UUCP 1.06.1. It permits a local user to copy any file to anywhere which is writable by the uucp uid, which effectively means that a local user can completely subvert the UUCP subsystem, including stealing mail, etc. It was thought that this problem has been fixed with DSA 079-1, but that didn't fix all variations of the problem. Updated packages are available from security.debian.org