+----------------------------------------------------------------+
| LinuxSecurity.com Linux Advisory Watch |
| April 13th, 2001 Volume 2, Number 15a |
+----------------------------------------------------------------+
Editors: Dave Wreski Benjamin Thomas
daveat_private benat_private
Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.
This week, advisories were released for xntp3, ntpd, vim, mailx,
kernel, pine, netscape, and mc. The vendors include Conectiva,
Caldera, Debian, EnGarde, Immunix, Mandrake, NetBSD, Progeny, Red
Hat, Slackware, SuSE, and Trustix.
### FREE Apache SSL Guide from Thawte ###
Planning Web Server Security? Find out how to implement SSL! Get the
free Thawte Apache SSL Guide and find the answers to all your Apache
SSL security issues and more at:
http://www.thawte.com/ucgi/gothawte.cgi?a=n341305500018000
* Using GnuPG with Pine for Secure E-Mail
Many people have no problem sending sensitive data via e-mail. Most
of us do not know how easy it is for anybody to read it. Just because
somebody holds the title of "Systems Administrator" does not mean
they can be trusted. What is stopping them from reading your e-mail?
Nothing. This is where PGP comes in; it is easy-to-use encryption
meant for the common person.
http://www.linuxsecurity.com/feature_stories/feature_story-83.html
HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html
+---------------------------------+
| Installing a new package: | ------------------------------//
+---------------------------------+
# rpm -Uvh
# dpkg -i
Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.
+---------------------------------+
| Checking Package Integrity: | -----------------------------//
+---------------------------------+
The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.
# md5sum
ebf0d4a0d236453f63a797ea20f0758b
The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing
+---------------------------------+
| Conectiva | ----------------------------//
+---------------------------------+
* Conectiva: 'xntp3' buffer overflow
April 9th, 2001
"xntp3" is a package used to syncronize clocks between computers on a
network. Przemyslaw Frasunek published an exploit that demonstrates a
buffer overflow vulnerability in that package. This vulnerability can
be exploited remotely and is aggravated by the fact that the xntpd
daemon runs as root.
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/xntp3-5.93-21cl.i386.rpm
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1269.html
+---------------------------------+
| Caldera | ----------------------------//
+---------------------------------+
* Caldera: 'vim' multiple vulnerabilities
April 11th, 2001
There exists a possibility for an attacker to embed special modelines
into a text file which when opened with vim could compromise the
account of the user.
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
RPMS/vim-5.7-12.i386.rpm
6f57e2a30063af5973c98734bd56099e
RPMS/vim-X11-5.7-12.i386.rpm
e53bbd8b9cd8020015d08edcbe8c872a
RPMS/vim-help-5.7-12.i386.rpm
1914bb9b40d72a0bfdd1997890b7c05a
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1282.html
* Caldera: ntpd remote buffer overflow vulnerability
April 6th, 2001
The ntp time synchronisation demon has a buffer overflow in its
control request parsing which allows any remote attacker to gain root
access, if the demon is running.
ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
RPMS/xntp-3.5.93e-5.i386.rpm
19e51b89951b435061450398e764b753
Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1264.html
+---------------------------------+
| Debian | ----------------------------//
+---------------------------------+
* Debian: UPDATE: ntp denial of service
April 10th, 2001
Przemyslaw Frasunek reported that ntp daemons such as that released
with Debian GNU/Linux are vulnerable to a buffer overflow that can
lead to a remote root exploit. A previous advisory (DSA-045-1)
partially addressed this issue, but introduced a potential denial of
service attack. This has been corrected for Debian 2.2 (potato) in
ntp version 4.0.99g-2potato2.
Architecture-independent files:
http://security.debian.org/debian-security/dists/stable/updates/
main/binary-all/ntp-doc_4.0.99g-2potato2_all.deb
MD5 checksum: cfa7f1a427fb65dc85eca68f823c95d7
http://security.debian.org/debian-security/dists/stable/updates/
main/binary-all/xntp3_4.0.99g-2potato2_all.deb
MD5 checksum: 3216aeca42720cd2b00f19ef05dc4ff8
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1276.html
+---------------------------------+
| EnGarde | ----------------------------//
+---------------------------------+
* EnGarde: 'xntp3' buffer overflow
April 9th, 2001
By attacking a very small buffer with a very small set of shellcode,
an attacker can potentially gain root access. It has been reported
that in some cases the only effect is the segfault of the ntpd. The
Network Time Protocol (NTP) is used to synchronize a computer's time
with another reference time source. The xntp3 package contains
utilities and daemons which will synchronize your computer's time to
Coordinated Universal Time (UTC) via the NTP protocol and NTP
servers.
http://ftp.engardelinux.org/pub/engarde/stable/updates/
i686/xntp3-5.93-1.0.16.i686.rpm
MD5 Sum: 3d7823343a0db6485a94fa16fad5afbd
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1273.html
+---------------------------------+
| Immunix | ----------------------------//
+---------------------------------+
* Immunix: ntpd buffer overflow
April 6th, 2001
The StackGuard protection in Immunix is effective at stopping this
attack. If the published exploit is run against the Immunix version,
it will cause ntpd to exit with a StackGuard detection message but no
penetration vulnerability is possible. WireX is releasing updated
packages to prevent the residual DoS attack.
Precompiled binary package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
xntp3-5.93-14_StackGuard_2.i386.rpm
4a87c36da4418926d95c5a19cd913f48
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1259.html
+---------------------------------+
| Mandrake | ----------------------------//
+---------------------------------+
* Mandrake: ntpd buffer overflow
April 6th, 2001
Przemyslaw Frasunek reported that ntp daemons such as ntp and xntp3
are vulnerable to a buffer overflow that can lead to a remote root
exploit. Linux-Mandrake users are urged to upgrade ntp and xntp3
immediately.
http://www.linux-mandrake.com/en/ftp.php3
Linux-Mandrake 7.2:
7.2/RPMS/ntp-4.0.99k-3.1mdk.i586.rpm
78510269b88b75b90fbb28cb5ecd7d0b
7.2/RPMS/xntp3-5.93-9.1mdk.i586.rpm
d1be8a263979dfcc9549aa0193b3bc43
Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1260.html
+---------------------------------+
| NetBSD | ----------------------------//
+---------------------------------+
* NetBSD: Ftpd denial of service and remote buffer overflow
April 10th, 2001
A recent COVERT Labs Security Advisory (COVERT-2001-02) describes a
remote denial of service and buffer overrun that COVERT Labs
discovered in the glob(3) library function. This function is called
by the ftp server daemon (ftpd), and therefore the ftp server is
vulnerable to this attack. Systems running ftpd are vulnerable.
PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1275.html
* NetBSD: NTP remote buffer overflow
April 6th, 2001
The NTP time synchronisation service shipped with NetBSD and many
other systems is vulnerable to a buffer-overflow attack. This
vulnerability may lead to arbitrary code execution as the user
running the NTP daemon, usually root.
PLEASE SEE VENDOR ADVISORY
Vendor Advisory:
http://www.linuxsecurity.com/advisories/netbsd_advisory-1262.html
+---------------------------------+
| Progeny | ----------------------------//
+---------------------------------+
* Progeny: UPDATE: kernel vulnerabilities
April 10th, 2001
This is an update to advisory PROGENY-SA-2001-01. The sources.list
line specified in Step 1 of the "UPDATING VIA APT-GET" section in the
previous advisory was incorrect. This advisory fixes the error.
http://archive.progeny.com/progeny/updates/newton/
kernel-image-2.2.19_1.81_i386.deb
f72c383e22a064ec394cff50a84ab789
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1281.html
* Progeny: 'mailx' buffer overflow
April 9th, 2001
Mailx is a simple program to read and send e-mail. Mailx is installed
setgid mail on Progeny and Debian systems. A buffer overflow in mailx
allows for a local user to gain access to the mail group, which would
allow that user to read and write to other mail spools.
http://archive.progeny.com/pub/progeny/updates/newton/
mailx_8.1.1-10.1.5progeny1_i386.deb
fe12bbc355688e9eeff853cf13ed7f58
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1270.html
* Progeny: 'kernel' vulnerability
April 9th, 2001
This vulnerability exploits a race condition in the 2.2.x Linux
kernel within the execve() system call. By predicting the
child-process sleep() within execve(), an attacker an use ptrace() or
similar mechanisms to subvert control of the child process. If the
child process is setuid, the attacker can cause the child process to
execute arbitrary code at an elevated privilege.
http://archive.progeny.com/progeny/updates/newton/
kernel-image-2.2.19_1.81_i386.deb
f72c383e22a064ec394cff50a84ab789
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1271.html
* Progeny: 'ntp' buffer overflow
April 9th, 2001
The buffer overflow occurs when building a response to a query with a
large readvar argument. The shellcode executed must be less than 70
bytes, otherwise the destination buffer is damaged. This makes the
vulnerability difficult but not impossible to exploit.
http://archive.progeny.com/pub/progeny/updates/newton/
ntp_4.0.99g-2.0progeny3_i386.deb
edac3588fc782c6729b90719e7f41c5b
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1272.html
+---------------------------------+
| Red Hat | ----------------------------//
+---------------------------------+
* RedHat: netscape JavaScript vulnerability
April 10th, 2001
Netscape does not escape GIF file comments in the image information
page; this allows JavaScript commands embedded therein to be
executed. These commands could access data such as the browser
history.
Red Hat Linux 7.0:
i386:
ftp://updates.redhat.com/7.0/en/os/i386/netscape-common-4.77-1.i386.rpm
4bb1bcc4c439531019bcab78cd953f59
ftp://updates.redhat.com/7.0/en/os/i386/netscape-communicator-4.77-1.i386.rpm
7d6948941a20599b302bc0bc4f1c0999
ftp://updates.redhat.com/7.0/en/os/i386/netscape-navigator-4.77-1.i386.rpm
7d570955357ad6b8fbb9d9fd4913d5cf
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1280.html
* RedHat: UPDATE: 'pine' tmp file creation vulnerability
April 10th, 2001
Previous versions of the pine email client, and the pico editor have
had various temporary file creation issues that allow any user with
local system access, to cause files owned by anyone including root to
potentially be overwritten if the right set of conditions are met.
Red Hat Linux 7.0:
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/pine-4.33-7.alpha.rpm
b64337030032f68609db57faa1bb2ee5
i386:
ftp://updates.redhat.com/7.0/en/os/i386/pine-4.33-7.i386.rpm
ef8d1e7d5a28b74a7a088ef67ed98dff
Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1279.html
+---------------------------------+
| Slackware | ----------------------------//
+---------------------------------+
* Slackware: 'xntp3' buffer overflow
April 9th, 2001
The version of xntp3 that shipped with Slackware 7.1 as well as the
version that was in Slackware -current contains a buffer overflow bug
that could lead to a root compromise. Slackware 7.1 and Slackware
-current users are urged to upgrade to the new packages available for
their release.
ftp://ftp.slackware.com/pub/slackware/slackware-current/
slakware/n1/ntp4.tgz
8dc3ec08fc63500ff75f640a1894bdd0
Vendor Advisory:
http://www.linuxsecurity.com/advisories/slackware_advisory-1266.html
+---------------------------------+
| SuSE | ----------------------------//
+---------------------------------+
* SuSE: vim/gvim local privilege escalation
April 10th, 2001
The text editor vim, Vi IMproved, was found vulnerable to two
security bugs. 1.) a tmp race condition 2.) vim commands in regular
files will be executed if the status line of vim is enabled in vimrc
Both vulnerabilities could be used to gain unauthorized access to
more privileges.
i386 Intel Platform: SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/a1/vim-5.7-71.i386.rpm
db368baa134c23b3578c8022a66d2703
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1278.html
* SuSE: mc local privilege escalation
April 10th, 2001
The Midnight Commander, mc(1), is a ncurses-based file manager. A
local attacker could trick mc(1) into executing commands with the
privileges of the user running mc(1) by creating malicious directory
names. This attack leads to local privilege escalation.
SuSE-7.1: i386 Intel Platform
ftp://ftp.suse.com/pub/suse/i386/update/7.1/ap1/mc-4.5.51-1.i386.rpm
c1eb197dff39e61065c498fa91347836
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1277.html
* SuSE: 'xntp' buffer overflow
April 9th, 2001
xntp is the network time protocol package widely used with many unix
and linux systems for system time synchronization over a network. An
exploit published by Przemyslaw Frasunek demonstrates a buffer
overflow in the control request parsing code. The exploit allows a
remote attacker to execute arbitrary commands as root. All versions
as shipped with SuSE Linux are affected by the buffer overflow
problem.
SuSE-7.1
ftp://ftp.suse.com/pub/suse/i386/update/7.1/n2/
xntp-4.0.99f-34.i386.rpm
9e39ca8f7b01fef22766463b8295e25d
Vendor Advisory:
http://www.linuxsecurity.com/advisories/suse_advisory-1274.html
+---------------------------------+
| Trustix | ----------------------------//
+---------------------------------+
* Trustix: 'Xntpd' buffer overflow
April 9th, 2001
A buffer overflow in the Xntp NTP daemon has been found. This bug can
lead to a remote root exploit.
PLEASE SEE VENDOR ADVISORY
ftp://ftp.trustix.net/pub/Trustix/software/swup/
Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1268.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com
To unsubscribe email vuln-newsletter-requestat_private
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------
ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERVat_private with a message body of
"SIGNOFF ISN".
This archive was generated by hypermail 2b30 : Sun Apr 15 2001 - 00:57:57 PDT