[ISN] Linux Advisory Watch - September 20th 2002

From: InfoSec News (isnat_private)
Date: Mon Sep 23 2002 - 00:58:45 PDT

  • Next message: InfoSec News: "Re: [ISN] London man charged with making virus"

    +----------------------------------------------------------------+
    |  LinuxSecurity.com                        Linux Advisory Watch |
    |  September 20th, 2002                     Volume 3, Number 38a |
    +----------------------------------------------------------------+
     
      Editors:     Dave Wreski                Benjamin Thomas
                   daveat_private     benat_private
    
    Linux Advisory Watch is a comprehensive newsletter that outlines the
    security vulnerabilitiaes that have been announced throughout the week.  
    It includes pointers to updated packages and descriptions of each
    vulnerability.
    
    This week, advisories were released for purity, openssl, konqueror, php,
    libkvm, libresolv, NetBSD kernel, libc, shutdown, pppd, kdf, ioctl, dns,
    nfs, setlocale, postgresql, and libx11.  The vendors include Conectiva,
    Debian, FreeBSD, NetBSD, and SuSE.  NetBSD users should pay close
    attention to this issue because a number of critical advisories were
    released.  For more information, please see the following:
    
    Multiple NetBSD Security Advisories Released/Updated
    http://www.linuxsecurity.com/articles/security_sources_article-5711.html
     
    
    ** Concerned about the next threat? EnGarde is the undisputed winner! 
    Hardened Linux Puts Hackers EnGarde! Winner of the Network Computing 
    Editor's Choice Award, EnGarde "walked away with our Editor's Choice 
    award thanks to the depth of its security strategy..." Find out what 
    the other Linux vendors are not telling you. 
    
     --> http://ads.linuxsecurity.com/cgi-bin/ad_redirect.pl?id=engarde2 
      
    FEATURE: What is Slapper? - The question of the week: What Slapper? Let me
    begin by telling you I am not only describing the Slapper worm, but I am
    also describing the Apache/mod_ssl worm, the bugtraq.c worm, and the Modap
    worm. In effect, this is just 4 different names for the same nasty worm.
    
    http://www.linuxsecurity.com/feature_stories/feature_story-119.html 
      
      
    +---------------------------------+
    |  Package: purity                | ----------------------------//
    |  Date: 09-15-2002               |
    +---------------------------------+  
     
    Description: 
    Two buffer overflows have been discovered in purity, a game for nerds and
    hackers, which is installed setgid games on a Debian system.  This problem
    could be exploited to gain unauthorized access to the group games.  A
    malicious user could alter the highscore of several games.
    
    Vendor Alerts: 
    
     Debian: i386: 
     http://security.debian.org/pool/updates/main/p/purity/
     purity_1-9.1_i386.deb 
     Size/MD5 checksum:    27404 6eb60f91f4cd3730bef018115268c568 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-2347.html
     
    
    
    +---------------------------------+
    |  Package: openssl               | ----------------------------//
    |  Date: 09-15-2002               |
    +---------------------------------+  
     
    Description: 
    The OpenSSL development team has announced that a security audit by
    A.L. Digital Ltd and The Bunker, under the DARPA CHATS program, has
    revealed remotely exploitable buffer overflow conditions in the
    OpenSSL code. 
    Additionaly, the ASN1 parser in OpenSSL has a potential DoS attack
    independently discovered by Adi Stav and James Yonan. 
    
    Vendor Alerts: 
    
     Debian: i386: 
     http://security.debian.org/pool/updates/main/o/openssl/ 
     libssl-dev_0.9.6c-0.potato.4_i386.deb 
     
     Size/MD5 checksum:  1288134 430658383c6c37cfafbddd16a492f407 
     http://security.debian.org/pool/updates/main/o/openssl/ 
     libssl0.9.6_0.9.6c-0.potato.4_i386.deb 
     Size/MD5 checksum:   463668 37e1e010c4eab318a48b8f1de3c73910 
    
     http://security.debian.org/pool/updates/main/o/openssl/ 
     openssl_0.9.6c-0.potato.4_i386.deb 
     Size/MD5 checksum:   724530 82241d5d38dc62b0e4d53f41303e8829 
    
     http://security.debian.org/pool/updates/main/o/openssl094/  
     libssl09_0.9.4-6.potato.0_i386.deb 
     Size/MD5 checksum:  1272012 0e9c6f0a2fde3e72eb4b3c88e57ad9fa 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-2348.html 
    
     Debian Vendor Advisory (UPDATE): 
     http://www.linuxsecurity.com/advisories/debian_advisory-2373.html 
     
    
    NetBSD: 
    
     NetBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2353.html 
    
     NetBSD Vendor Advisory 2:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2363.html
     
    
      
    +---------------------------------+
    |  Package: konqueror             | ----------------------------//
    |  Date: 09-15-2002               |
    +---------------------------------+  
     
    Description: 
    A cross site scripting problem has been discovered in Konquerer, a
    famous browser for KDE and other programs using KHTML. The KDE team
    reports that Konqueror's cross site scripting protection fails to
    initialize the domains on sub-(i)frames correctly.  As a result,
    Javascript is able to access any foreign subframe which is defined in
    the HTML source.  Users of Konqueror and other KDE software that uses
    the KHTML rendering engine may become victim of a cookie stealing and
    other cross site scripting attacks. 
    
    Vendor Alerts: 
    
     Debian: i386: 
     http://security.debian.org/pool/updates/main/k/kdelibs/
     kdelibs3_2.2.2-13.woody.3_i386.deb 
     Size/MD5 checksum:  6618086 c876d1e96c2b9a74475204ed24f651d2 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-2350.html
     
    
      
      
    +---------------------------------+
    |  Package: php                   | ----------------------------//
    |  Date: 09-15-2002               |
    +---------------------------------+  
     
    Description: 
    Wojciech Purczynski found out that it is possible for scripts to pass
    arbitrary text to sendmail as commandline extension when sending a
    mail through PHP even when safe_mode is turned on.  Passing 5th
    argument should be disabled if PHP is configured in safe_mode, which
    is the case for newer PHP versions and for the versions below. This
    does not affect PHP3, though. 
    
    Vendor Alerts: 
    
     Debian: i386: 
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Debian Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/debian_advisory-2375.html
     
    
      
    
    +---------------------------------+
    |  Package: libkvm                | ----------------------------//
    |  Date: 09-15-2002               |
    +---------------------------------+  
     
    Description: 
    The kvm(3) library provides a uniform interface for accessing kernel
    virtual memory images, including live systems and crash dumps.  Access to
    live systems is via /dev/mem and /dev/kmem.  Memory can be read and
    written, kernel symbol addresses can be looked up efficiently, and
    information about user processes can be gathered.
    
    Vendor Alerts: 
    
     FreeBSD:  
     ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/ 
     patches/SA-02:39/libkvm.patch 
    
     FreeBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2349.html 
    
     FreeBSD Vendor Advisory (UPDATE): 
     http://www.linuxsecurity.com/advisories/freebsd_advisory-2371.html
     
    
      
    +---------------------------------+
    |  Package: libresolv             | ----------------------------//
    |  Date: 09-17-2002               |
    +---------------------------------+  
     
    Description: 
    There was a buffer-length computation bug in BIND-based DNS resolver
    code.  A malicious DNS response packet may be able to overwrite data
    outside the buffer, and it could lead to attacks as serious as a
    remote root exploit, though there are no public exploits in
    circulation at this time. 
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2351.html
     
    
      
    +---------------------------------+
    |  Package: NetBSD kernel         | ----------------------------//
    |  Date: 09-17-2002               |
    +---------------------------------+  
     
    Description: 
    A Session leader can use the TIOCSCTTY ioctl to set the session
    controlling terminal. This ioctl can be called any number of times. The
    call unconditionally raised the hold count of a kernel structure shared
    between processes in the same session. It was possible to overflow the
    structure counter, and thus arrange for the structure memory to be freed
    prematurely, and possibly re-used.  This could cause a kernel panic or
    incorrect operation the next time the session structure is accessed from
    the context of other processes which are part of the former session.
    
     Vendor Alerts: NetBSD:  
     ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
     SA2002-007-tiocsctty.patch 
    
    
     NetBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2352.html
     
    
      
    +---------------------------------+
    |  Package: libc                  | ----------------------------//
    |  Date: 09-19-2002               |
    +---------------------------------+  
     
    Description: 
    Integer overflows exist in the RPC code in libc. These cause a buffer
    to be mistakenly allocated too small, and then overflown. The
    Automounter amd(8) and its query tool amq(8), and the rusers(1)
    client binary use the flawed code in a way which could be
    exploitable. Other uses of the RPC functions have been examined and
    are believed to not be exploitable. 
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2355.html 
    
     NetBSD Vendor Advisory (RPX XDR): 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2362.html
     
    
    
    +---------------------------------+
    |  Package: shutdown              | ----------------------------//
    |  Date: 09-19-2002               |
    +---------------------------------+  
     
    Description: 
    shutdown(s, SHUT_RD) is used to indicate that there should be no
    inbound traffic expected on the socket.  There was mistake in TCP
    with respect to the handling of shutdown'ed socket, leading to
    unexpected kernel resource consumption and unexpected behavior. 
    
    Vendor Alerts: 
    
    NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2359.html
     
    
    
    +---------------------------------+
    |  Package: fd_set (pppd)         | ----------------------------//
    |  Date: 09-19-2002               |
    +---------------------------------+  
     
    Description: 
    The IPv4 multicast-related tools mrinfo(1) and mtrace(1), and the PPP
    daemon pppd(8), are setuid root binaries.  A malicious local user can
    cause a buffer overrun in these programs by filling file descriptor
    tables before exec'ing them, which could lead to local root
    compromise. 
      
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2358.html 
    
     NetBSD Vendor Advisory fd_set: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2369.html 
    
     NetBSD Vendor Advisory pppd: 
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2370.html
     
    
      
    +---------------------------------+
    |  Package: kdf                   | ----------------------------//
    |  Date: 09-19-2002               |
    +---------------------------------+  
     
    Description: 
    Kf and kfd are used to forward Kerberos credentials in a stand-alone
    fashion, and come from the Heimdal Kerberos implementation used by
    NetBSD.  In Heimdal releases earlier than 0.5, these programs have
    multiple security issues, including possible buffer overruns. 
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2360.html
     
    
      
    +---------------------------------+
    |  Package: ioctl                 | ----------------------------//
    |  Date: 09-5-2002                |
    +---------------------------------+  
     
    Description: 
    A Session leader can use the TIOCSCTTY ioctl to set the session
    controlling terminal. This ioctl can be called any number of times.
    The call unconditionally raised the hold count of a kernel structure
    shared between processes in the same session. It was possible to
    overflow the structure counter, and thus arrange for the structure
    memory to be freed prematurely, and possibly re-used.  This could
    cause a kernel panic or incorrect operation the next time the session
    structure is accessed from the context of other processes which are
    part of the former session. 
    
    Vendor Alerts: 
    
     NetBSD:  
     ftp://ftp.netbsd.org/pub/NetBSD/security/patches/
     SA2002-007-tiocsctty.patch 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2364.html
     
    
      
    +---------------------------------+
    |  Package: dns                   | ----------------------------//
    |  Date: 09-5-2002                |
    +---------------------------------+  
     
    Description: 
    There was a buffer-length computation bug in BIND-based DNS resolver
    code.  A malicious DNS response packet may be able to overwrite data
    outside the buffer, and it could lead to attacks as serious as a
    remote root exploit, though there are no public exploits in
    circulation at this time. 
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2365.html
     
    
      
    +---------------------------------+
    |  Package: nfs                   | ----------------------------//
    |  Date: 09-5-2002                |
    +---------------------------------+  
     
    Description: 
    The Network File System (NFS) allows a host to export some or all of
    its filesystems, or parts of them, so that other hosts can access
    them over the network and mount them as if they were on local disks. 
    NFS is built on top of the Sun Remote Procedure Call (RPC) framework.
    
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2366.html
     
    
      
    +---------------------------------+
    |  Package: setlocale             | ----------------------------//
    |  Date: 09-5-2002                |
    +---------------------------------+  
     
    Description: 
    There was a boundary checking bug of array suffix in setlocale()
    function in libc.  If the setlocale() function is used with arguments
    satisfying a specific condition (see below), there is a possibility
    that this could be exploitable.   
    
    Vendor Alerts: 
    
     NetBSD:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     NetBSD Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/netbsd_advisory-2367.html
     
    
      
      
    +---------------------------------+
    |  Package: postgresql            | ----------------------------//
    |  Date: 09-19-2002               |
    +---------------------------------+  
     
    Description: 
    In order to exploit any of these vulnerabilities, it is necessary for
     the attacker to be able to query the database somehow. Some
    scenarios  where this could happen: The attacker already has an
    account in the database serve and can execute queries. 
    
    Vendor Alerts: 
    
     Connectiva:  
     PLEASE SEE VENDOR ADVISORY FOR UPDATE 
    
     Connectiva Vendor Advisory:  
     http://www.linuxsecurity.com/advisories/other_advisory-2376.html
     
    
      
    +---------------------------------+
    |  Package: libX11                | ----------------------------//
    |  Date: 09-18-2002               |
    +---------------------------------+  
     
    Description: 
    The xf86 package contains various libraries and programs which are
    fundamental for the X server to function. The libX11.so library from
    this package dynamically loads other libraries where the pathname is
    controlled by the user invoking the program linked against libX11.so.
    Unfortunately, libX11.so also behaves the same way when linked
    against setuid programs. This behavior allows local users to execute
    arbitrary code under a different UID which can be the root-UID in the
    worst case.   
    
    Vendor Alerts: 
    
     SuSE:  
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/x1/ 
     xshared-4.2.0-174.i386.rpm 
     2a515055a811de5b465d016ffa77a09c     
    
     ftp://ftp.suse.com/pub/suse/i386/update/8.0/x2/  
     xdevel-4.2.0-174.i386.rpm 
     67ddeb24b04b8c2badb7a039d9ea270e 
    
     SuSE Vendor Advisory: 
     http://www.linuxsecurity.com/advisories/suse_advisory-2374.html
     
    
    ------------------------------------------------------------------------
    Distributed by: Guardian Digital, Inc.                LinuxSecurity.com
    
         To unsubscribe email vuln-newsletter-requestat_private
             with "unsubscribe" in the subject of the message.
    ------------------------------------------------------------------------
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Sep 23 2002 - 03:42:13 PDT