[ISN] Linux Advisory Watch - April 13th 2001

From: vuln-newsletter-adminsat_private
Date: Fri Apr 13 2001 - 07:52:09 PDT

  • Next message: InfoSec News: "Re: [ISN] Scriptkiddies, China and U.S."

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                      Linux  Advisory Watch  |
    |  April 13th, 2001                        Volume 2, Number 15a  |
    +----------------------------------------------------------------+
    
      Editors:     Dave Wreski                  Benjamin Thomas
                   daveat_private       benat_private
    
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilities that have been announced throughout the
    week. It includes pointers to updated packages and descriptions of
    each vulnerability.
    
    This week, advisories were released for xntp3, ntpd, vim, mailx,
    kernel, pine, netscape, and mc.  The vendors include Conectiva,
    Caldera, Debian, EnGarde, Immunix, Mandrake, NetBSD, Progeny, Red
    Hat, Slackware, SuSE, and Trustix.
    
    
    
    ### FREE Apache SSL Guide from Thawte ###
    
    Planning Web Server Security? Find out how to implement SSL! Get the
    free Thawte Apache SSL Guide and find the answers to all your Apache
    SSL security issues and more at:
    
    http://www.thawte.com/ucgi/gothawte.cgi?a=n341305500018000
    
    
    
    * Using GnuPG with Pine for Secure E-Mail
    
    Many people have no problem sending sensitive data via e-mail. Most
    of us do not know how easy it is for anybody to read it. Just because
    somebody holds the title of "Systems Administrator" does not mean
    they can be trusted. What is stopping them from reading your e-mail?
    Nothing. This is where PGP comes in; it is easy-to-use encryption
    meant for the common person.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-83.html
    
    
    HTML Version of Newsletter:
    http://www.linuxsecurity.com/vuln-newsletter.html
    
    
    +---------------------------------+
    | Installing a new package:       | ------------------------------//
    +---------------------------------+
    
    # rpm -Uvh
    # dpkg -i
    
    Packages can be installed easily by using rpm (Red Hat Package
    Manager) or dpkg (Debian Package Manager). Most advisories
    issued by vendors are packaged in either an rpm or dpkg.
    Additional installation instructions can be found in the body
    of the Advisories.
    
    +---------------------------------+
    | Checking Package Integrity:     | -----------------------------//
    +---------------------------------+
    
    The md5sum command is used to compute a 128-bit fingerprint that is
    strongly dependant upon the contents of the file to which it is
    applied. It can be used to compare against a previously-generated
    sum to determine whether the file has changed. It is commonly used
    to ensure the integrity of updated packages distributed by a vendor.
    
    
    # md5sum
    ebf0d4a0d236453f63a797ea20f0758b
    
    The string of numbers can then be compared against the MD5 checksum
    published by the packager. While it does not take into account the
    possibility that the same person that may have modified a package
    also may have modified the published checksum, it is especially
    useful for establishing a great deal of assurance in the integrity
    of a package before installing
    
    
    
    +---------------------------------+
    |   Conectiva                     | ----------------------------//
    +---------------------------------+
    
    * Conectiva:  'xntp3' buffer overflow
    April 9th, 2001
    
    "xntp3" is a package used to syncronize clocks between computers on a
    network. Przemyslaw Frasunek published an exploit that demonstrates a
    buffer overflow vulnerability in that package. This vulnerability can
    be exploited remotely and is aggravated by the fact that the xntpd
    daemon runs as root.
    
     ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xntp3-5.93-21cl.i386.rpm
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1269.html
    
    
    +---------------------------------+
    |   Caldera                       | ----------------------------//
    +---------------------------------+
    
    
    * Caldera: 'vim' multiple vulnerabilities
    April 11th, 2001
    
    There exists a possibility for an attacker to embed special modelines
    into a text file which when opened with vim could compromise the
    account of the user.
    
     ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
     RPMS/vim-5.7-12.i386.rpm
     6f57e2a30063af5973c98734bd56099e
    
     RPMS/vim-X11-5.7-12.i386.rpm
     e53bbd8b9cd8020015d08edcbe8c872a
    
     RPMS/vim-help-5.7-12.i386.rpm
     1914bb9b40d72a0bfdd1997890b7c05a
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-1282.html
    
    
    
    * Caldera: ntpd remote buffer overflow vulnerability
    April 6th, 2001
    
    The ntp time synchronisation demon has a buffer overflow in its
    control request parsing which allows any remote attacker to gain root
    access, if the demon is running.
    
     ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
     RPMS/xntp-3.5.93e-5.i386.rpm
     19e51b89951b435061450398e764b753
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/caldera_advisory-1264.html
    
    
    
    +---------------------------------+
    |   Debian                        | ----------------------------//
    +---------------------------------+
    
    
    * Debian: UPDATE: ntp denial of service
    April 10th, 2001
    
    Przemyslaw Frasunek reported that ntp daemons such as that released
    with Debian GNU/Linux are vulnerable to a buffer overflow that can
    lead to a remote root exploit. A previous advisory (DSA-045-1)
    partially addressed this issue, but introduced a potential denial of
    service attack. This has been corrected for Debian 2.2 (potato) in
    ntp version 4.0.99g-2potato2.
    
     Architecture-independent files:
    
     http://security.debian.org/debian-security/dists/stable/updates/
     main/binary-all/ntp-doc_4.0.99g-2potato2_all.deb
     MD5 checksum: cfa7f1a427fb65dc85eca68f823c95d7
    
     http://security.debian.org/debian-security/dists/stable/updates/
     main/binary-all/xntp3_4.0.99g-2potato2_all.deb
     MD5 checksum: 3216aeca42720cd2b00f19ef05dc4ff8
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/debian_advisory-1276.html
    
    
    
    
    +---------------------------------+
    |   EnGarde                       | ----------------------------//
    +---------------------------------+
    
    
    * EnGarde:  'xntp3' buffer overflow
    April 9th, 2001
    
    By attacking a very small buffer with a very small set of shellcode,
    an attacker can potentially gain root access. It has been reported
    that in some cases the only effect is the segfault of the ntpd. The
    Network Time Protocol (NTP) is used to synchronize a computer's time
    with another reference time source. The xntp3 package contains
    utilities and daemons which will synchronize your computer's time to
    Coordinated Universal Time (UTC) via the NTP protocol and NTP
    servers.
    
     http://ftp.engardelinux.org/pub/engarde/stable/updates/
     i686/xntp3-5.93-1.0.16.i686.rpm
     MD5 Sum:  3d7823343a0db6485a94fa16fad5afbd
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1273.html
    
    
    
    +---------------------------------+
    |   Immunix                       | ----------------------------//
    +---------------------------------+
    
    
    * Immunix: ntpd buffer overflow
    April 6th, 2001
    
    The StackGuard protection in Immunix is effective at stopping this
    attack. If the published exploit is run against the Immunix version,
    it will cause ntpd to exit with a StackGuard detection message but no
    penetration vulnerability is possible. WireX is releasing updated
    packages to prevent the residual DoS attack.
    
     Precompiled binary package for Immunix 6.2 is available at:
    
     http://immunix.org/ImmunixOS/6.2/updates/RPMS/
     xntp3-5.93-14_StackGuard_2.i386.rpm
     4a87c36da4418926d95c5a19cd913f48
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1259.html
    
    
    
    
    
    +---------------------------------+
    |   Mandrake                      | ----------------------------//
    +---------------------------------+
    
    
    * Mandrake: ntpd buffer overflow
    April 6th, 2001
    
    Przemyslaw Frasunek reported that ntp daemons such as ntp and xntp3
    are vulnerable to a buffer overflow that can lead to a remote root
    exploit. Linux-Mandrake users are urged to upgrade ntp and xntp3
    immediately.
    
     http://www.linux-mandrake.com/en/ftp.php3
     Linux-Mandrake 7.2:
     7.2/RPMS/ntp-4.0.99k-3.1mdk.i586.rpm
     78510269b88b75b90fbb28cb5ecd7d0b
    
     7.2/RPMS/xntp3-5.93-9.1mdk.i586.rpm
     d1be8a263979dfcc9549aa0193b3bc43
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/mandrake_advisory-1260.html
    
    
    
    
    +---------------------------------+
    |   NetBSD                        | ----------------------------//
    +---------------------------------+
    
    * NetBSD: Ftpd denial of service and remote buffer overflow
    April 10th, 2001
    
    A recent COVERT Labs Security Advisory (COVERT-2001-02) describes a
    remote denial of service and buffer overrun that COVERT Labs
    discovered in the glob(3) library function. This function is called
    by the ftp server daemon (ftpd), and therefore the ftp server is
    vulnerable to this attack. Systems running ftpd are vulnerable.
    
     PLEASE SEE VENDOR ADVISORY FOR UPDATE
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/netbsd_advisory-1275.html
    
    
    
    
    * NetBSD: NTP remote buffer overflow
    April 6th, 2001
    
    The NTP time synchronisation service shipped with NetBSD and many
    other systems is vulnerable to a buffer-overflow attack. This
    vulnerability may lead to arbitrary code execution as the user
    running the NTP daemon, usually root.
    
     PLEASE SEE VENDOR ADVISORY
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/netbsd_advisory-1262.html
    
    
    
    +---------------------------------+
    |   Progeny                       | ----------------------------//
    +---------------------------------+
    
    
    * Progeny: UPDATE: kernel vulnerabilities
    April 10th, 2001
    
    This is an update to advisory PROGENY-SA-2001-01. The sources.list
    line specified in Step 1 of the "UPDATING VIA APT-GET" section in the
    previous advisory was incorrect. This advisory fixes the error.
    
     http://archive.progeny.com/progeny/updates/newton/
     kernel-image-2.2.19_1.81_i386.deb
     f72c383e22a064ec394cff50a84ab789
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1281.html
    
    
    
    * Progeny:  'mailx' buffer overflow
    April 9th, 2001
    
    Mailx is a simple program to read and send e-mail. Mailx is installed
    setgid mail on Progeny and Debian systems. A buffer overflow in mailx
    allows for a local user to gain access to the mail group, which would
    allow that user to read and write to other mail spools.
    
     http://archive.progeny.com/pub/progeny/updates/newton/
     mailx_8.1.1-10.1.5progeny1_i386.deb
     fe12bbc355688e9eeff853cf13ed7f58
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1270.html
    
    
    
    * Progeny:  'kernel' vulnerability
    April 9th, 2001
    
    This vulnerability exploits a race condition in the 2.2.x Linux
    kernel within the execve() system call. By predicting the
    child-process sleep() within execve(), an attacker an use ptrace() or
    similar mechanisms to subvert control of the child process. If the
    child process is setuid, the attacker can cause the child process to
    execute arbitrary code at an elevated privilege.
    
     http://archive.progeny.com/progeny/updates/newton/
     kernel-image-2.2.19_1.81_i386.deb
     f72c383e22a064ec394cff50a84ab789
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1271.html
    
    
    
    * Progeny:  'ntp' buffer overflow
    April 9th, 2001
    
    The buffer overflow occurs when building a response to a query with a
    large readvar argument. The shellcode executed must be less than 70
    bytes, otherwise the destination buffer is damaged. This makes the
    vulnerability difficult but not impossible to exploit.
    
     http://archive.progeny.com/pub/progeny/updates/newton/
     ntp_4.0.99g-2.0progeny3_i386.deb
     edac3588fc782c6729b90719e7f41c5b
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1272.html
    
    
    
    
    
    +---------------------------------+
    |   Red Hat                       | ----------------------------//
    +---------------------------------+
    
    
    * RedHat: netscape JavaScript vulnerability
    April 10th, 2001
    
    Netscape does not escape GIF file comments in the image information
    page; this allows JavaScript commands embedded therein to be
    executed. These commands could access data such as the browser
    history.
    
     Red Hat Linux 7.0:
     i386:
     ftp://updates.redhat.com/7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
     4bb1bcc4c439531019bcab78cd953f59
    
     ftp://updates.redhat.com/7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
     7d6948941a20599b302bc0bc4f1c0999
    
     ftp://updates.redhat.com/7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm
     7d570955357ad6b8fbb9d9fd4913d5cf
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/redhat_advisory-1280.html
    
    
    
    
    * RedHat: UPDATE: 'pine' tmp file creation vulnerability
    April 10th, 2001
    
    Previous versions of the pine email client, and the pico editor have
    had various temporary file creation issues that allow any user with
    local system access, to cause files owned by anyone including root to
    potentially be overwritten if the right set of conditions are met.
    
     Red Hat Linux 7.0:
     alpha:
     ftp://updates.redhat.com/7.0/en/os/alpha/pine-4.33-7.alpha.rpm
     b64337030032f68609db57faa1bb2ee5
    
     i386:
     ftp://updates.redhat.com/7.0/en/os/i386/pine-4.33-7.i386.rpm
     ef8d1e7d5a28b74a7a088ef67ed98dff
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/redhat_advisory-1279.html
    
    
    
    
    
    +---------------------------------+
    |   Slackware                     | ----------------------------//
    +---------------------------------+
    
    
    * Slackware:  'xntp3' buffer overflow
    April 9th, 2001
    
    The version of xntp3 that shipped with Slackware 7.1 as well as the
    version that was in Slackware -current contains a buffer overflow bug
    that could lead to a root compromise. Slackware 7.1 and Slackware
    -current users are urged to upgrade to the new packages available for
    their release.
    
     ftp://ftp.slackware.com/pub/slackware/slackware-current/
     slakware/n1/ntp4.tgz
     8dc3ec08fc63500ff75f640a1894bdd0
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/slackware_advisory-1266.html
    
    
    
    
    +---------------------------------+
    |   SuSE                          | ----------------------------//
    +---------------------------------+
    
    
    * SuSE: vim/gvim local privilege escalation
    April 10th, 2001
    
    The text editor vim, Vi IMproved, was found vulnerable to two
    security bugs. 1.) a tmp race condition 2.) vim commands in regular
    files will be executed if the status line of vim is enabled in vimrc
    Both vulnerabilities could be used to gain unauthorized access to
    more privileges.
    
     i386 Intel Platform:   SuSE-7.1
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/vim-5.7-71.i386.rpm
     db368baa134c23b3578c8022a66d2703
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/suse_advisory-1278.html
    
    
    
    * SuSE: mc local privilege escalation
    April 10th, 2001
    
    The Midnight Commander, mc(1), is a ncurses-based file manager. A
    local attacker could trick mc(1) into executing commands with the
    privileges of the user running mc(1) by creating malicious directory
    names. This attack leads to local privilege escalation.
    
     SuSE-7.1: i386 Intel Platform
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/mc-4.5.51-1.i386.rpm
     c1eb197dff39e61065c498fa91347836
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/suse_advisory-1277.html
    
    
    
    
    * SuSE:  'xntp' buffer overflow
    April 9th, 2001
    
    xntp is the network time protocol package widely used with many unix
    and linux systems for system time synchronization over a network. An
    exploit published by Przemyslaw Frasunek demonstrates a buffer
    overflow in the control request parsing code. The exploit allows a
    remote attacker to execute arbitrary commands as root. All versions
    as shipped with SuSE Linux are affected by the buffer overflow
    problem.
    
     SuSE-7.1
     ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/
     xntp-4.0.99f-34.i386.rpm
     9e39ca8f7b01fef22766463b8295e25d
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/suse_advisory-1274.html
    
    
    
    
    +---------------------------------+
    |   Trustix                       | ----------------------------//
    +---------------------------------+
    
    * Trustix:  'Xntpd' buffer overflow
    April 9th, 2001
    
    A buffer overflow in the Xntp NTP daemon has been found. This bug can
    lead to a remote root exploit.
    
     PLEASE SEE VENDOR ADVISORY
     ftp://ftp.trustix.net/pub/Trustix/software/swup/
    
     Vendor Advisory:
     http://www.linuxsecurity.com/advisories/other_advisory-1268.html
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email LISTSERVat_private with a message body of
    "SIGNOFF ISN".
    



    This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 00:57:57 PDT