Security-improving technologies which could be deployed now
October 13, 2004
This article was contributed by John Richard Moser
Linux does not host the same applications as the more popular operating
systems; it does not cater to the same host of bugs those applications
provide to allow attackers to easily gain privileged access to the system.
Still, if the same classes of bugs exist in Linux applications, the same
problems arise. Linux is vulnerable to the same exploits as any other
operating system when bugs exist to facilitate those exploits.
Most popular Linux distributions do not make use of available security
technologies that would deflect a large number of these attacks. There are
technologies available today that allow the maintainers of distributions
such as Gentoo, Debian, or Mandrake to make the system more resilient if
not virtually invulnerable to these exploitable bugs. These technologies
are open source, GPL licensed solutions to the future problems that Linux
will face as it gains popularity.
There are many transparent security technologies available that maintainers
could use to improve the security of a Linux distribution, such as Stack Smash
Protection, PaX, and Position
Independent Executables (PIE). These, such as can be safely and easily
integrated with any distribution to improve security without altering the
users' experience or administration of the system.
Stack Smash Protection
Stack Smash Protection is a method of detection and mitigation of stack
based buffer overflow bugs in programs. There are several implementations;
the one focused on here is
IBM's Stack
Smash Protector (SSP), formerly known as ProPolice. SSP prevents stack
based buffer overflow bugs from being used to exploit programs in many
cases.
A fair number of security exploits begin with stack based buffer overflows.
SSP rearranges local variables to put character arrays at the highest
address and copies pointers passed to the function to new local variables
below these arrays. This prevents a wide range of overflow based attacks.
It uses a strategically placed local variable known as a "canary" or "guard
value" to check for overflows.
SSP is implemented as a compiler patch to gcc. This patch alters the way
functions are generated so that they check for buffer overflows. It can be
used via the -fstack-protector and -fstack-protector-all
switches, or by passing --enable-stack-protector to the
configure script when building gcc. In either case,
-fno-stack-protetctor[-all] explicitly disables the
protection.
There are still
some
cases which SSP cannot catch, such as bugs affecting structures with
vulnerable layouts; but it is definitely a powerful tool for preventing
exploitation of many programming bugs. It may also expose some simple
programming bugs, such as those which overflow a buffer by a few bytes.
These bugs cause programs to crash during normal operation with SSP.
SSP was developed by Hiroaki Etoh and Kunikazu Yoda of the IBM Research
Division, based on StackGuard. It was
originally outlined in a paper
by its authors. StackGuard was developed by Immunix Inc., and first appeared in 1998
or earlier. There have also been other papers
examining stack smash protection techniques and implementation.
PaX
PaX is a patch to the Linux kernel source tree to implement memory
protections which make certain classes of exploits difficult or impossible.
Depending on architecture, PaX may have a very low or insignificant
overhead. It is a powerful tool for preventing a great many potential
exploits.
The Exec Shield (ES) technology contributed by Red Hat is somewhat similar
to PaX; however, PaX
supplies greater control over protections on individual binaries, as well
as greater accuracy in its NX emulation on x86 architectures. ES has been
compared to PaX on Wikipedia.
Unless otherwise specified, full PaX with all features enabled except
"Disallow ELF text relocations" will be discussed here.
PaX is a very feature rich technology. Instead of targeting a specific
attack vector, PaX targets entire classes of exploits. Attacks using
standard code injection are essentially impossible to successfully perform
on a task running under full PaX restrictions; many of the more complex
attacks are extremely difficult and often impossible to guarantee. Failed
attacks result in the immediate termination of the program.
PaX guarantees that no memory is both writable and executable. The system
administrator may deny all programs permission to use mprotect() to
transition to a state where the page may be executed at any time after it
could have been written to. It may emulate an NX bit to accomplish this;
this is done on x86 with measurable but low overhead.
PaX also allows full Address Space Layout Randomization (ASLR). ASLR
allows the stack, heap, mmap(), and even the .text of ET_EXEC executables
to be mapped into randomly chosen bases in Virtual Memory (VM) space. In
the absence of an information leak, an attacker would need to essentially
guess at where any needed target data is in memory.
Some programs malfunction under PaX. Usually these programs expect
behavior contrary to what PaX provides, and upon attempting to execute
certain logic, PaX terminates them as if it had detected an exploit. PaX
allows binaries to be "marked" with tools available to the system
administrator to disable any individual protection supplied by PaX.
PaX was created by an anonymous author, originally supplying NX support
based on an observation about the x86 architecture made by the plex86
project. Other features such as ASLR were implemented later. PaX first
appeared in 2000, and was later incorporated into the grsecurity project.
The PaX project supplies much documentation, and Wikipedia
features an article about
PaX.
Position Independent Executables
Position Independent Executables, or PIE, are executables compiled as
Position Independent Code (PIC). PIC is usually slower than fixed position
code; however, it can be easily relocated in memory. PIE allows the safe
and efficient randomization of the base of executable binaries in VM by PaX
or ES, preventing an attacker from knowing beforehand where preexisting
code is in memory.
Compiling PIE binaries is done by passing gcc the -fPIC or
-fPIE switches;
linking them is done by passing -pie to gcc or to the linker. The
-fPIE
switch only works with gcc 3.4, but -fPIC will work for all.
Regardless of
which switch is used, the output is an executable ET_DYN binary.
Using PIE, the code in executable binaries suffers
measurable overhead,
the magnitude of which varies between CPU architectures. On x86, this is
approximately 1%; whereas on x86_64, the overhead is approximately 0.01%.
Because this overhead is not applied everywhere, it can usually be said to
be negligible on any architecture in relation to PIE.
Deployment
Many security focused open source operating systems deploy these or similar
technologies. OpenBSD supplies its own
PaX-type system, W^X; OpenBSD also uses SSP; but apparently does not supply a PIE base.
Hardened Gentoo and Adamantix supply PaX, SSP, and PIE;
along with other, more visible technologies such as SELinux or RSBAC. It
is left up to speculation why the most popular Linux distributions do not
supply the transparent features, although there is effort to persuade Debian to use these, by the Debian: Secure by Default and
the Hardened Debian
projects.
Comments (25 posted)
New vulnerabilities
cyrus-sasl: remote buffer overflow
| Package(s): | cyrus-sasl |
CVE #(s): | CAN-2004-0884
|
| Created: | October 7, 2004 |
Updated: | March 16, 2005 |
| Description: |
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable. |
| Alerts: |
|
Comments (none posted)
ed: Insecure temporary file handling
| Package(s): | ed |
CVE #(s): | CVE-2000-1137
|
| Created: | October 11, 2004 |
Updated: | October 13, 2004 |
| Description: |
ed insecurely creates temporary files in world-writeable directories with
predictable names. Given that ed is used in various system shell scripts,
they are by extension affected by the same vulnerability. A local attacker
could create symbolic links in the temporary files directory, pointing to a
valid file somewhere on the filesystem. When ed is called, this would
result in file access with the rights of the user running the utility,
which could be the root user. |
| Alerts: |
|
Comments (none posted)
gettext: Insecure temporary file handling
| Package(s): | gettext |
CVE #(s): | CAN-2004-0966
|
| Created: | October 11, 2004 |
Updated: | March 1, 2006 |
| Description: |
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user. |
| Alerts: |
|
Comments (1 posted)
mysql: several vulnerabilities
| Package(s): | mysql |
CVE #(s): | CAN-2004-0835
CAN-2004-0836
CAN-2004-0837
|
| Created: | October 11, 2004 |
Updated: | April 6, 2005 |
| Description: |
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837) |
| Alerts: |
|
Comments (none posted)
ncompress: Buffer overflow
| Package(s): | compress uncompress ncompress |
CVE #(s): | CAN-2001-1413
|
| Created: | October 11, 2004 |
Updated: | December 14, 2004 |
| Description: |
compress and uncompress do not properly check bounds on command line
options, including the filename. Large parameters would trigger a buffer
overflow. By supplying a carefully crafted filename or other option, an
attacker could execute arbitrary code on the system. A local attacker could
only execute code with his own rights, but since compress and uncompress
are called by various daemon programs, this might also allow a remote
attacker to execute code with the rights of the daemon making use of
ncompress. |
| Alerts: |
|
Comments (none posted)
squid: denial of service vulnerability
| Package(s): | squid |
CVE #(s): | CAN-2004-0918
|
| Created: | October 7, 2004 |
Updated: | November 8, 2004 |
| Description: |
Squid has a potential denial of service vulnerability
and a problem with readable passwords due to incorrect
permissions on the squid.conf file. |
| Alerts: |
|
Comments (none posted)
tiff: buffer overflows
| Package(s): | tiff |
CVE #(s): | CAN-2004-0803
|
| Created: | October 13, 2004 |
Updated: | April 12, 2005 |
| Description: |
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
Apache mod_proxy: denial of service
| Package(s): | apache |
CVE #(s): | CAN-2004-0492
|
| Created: | June 11, 2004 |
Updated: | October 14, 2004 |
| Description: |
A buffer overflow vulnerability in the apache mod_proxy module
can be exploited to create a denial of service. |
| Alerts: |
|
Comments (none posted)
apache2: stack-based buffer overflow in ssl_util.c
| Package(s): | apache2 |
CVE #(s): | CAN-2004-0488
|
| Created: | June 1, 2004 |
Updated: | October 14, 2004 |
| Description: |
A stack-based buffer overflow exists in the ssl_util_uuencode_binary
function in ssl_util.c in Apache. When mod_ssl is configured to trust the
issuing CA, a remote attacker may be able to execute arbitrary code via a
client certificate with a long subject DN. |
| Alerts: |
|
Comments (none posted)
aspell: bounds checking problem
| Package(s): | aspell |
CVE #(s): | CAN-2004-0548
|
| Created: | June 17, 2004 |
Updated: | December 20, 2004 |
| Description: |
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker. |
| Alerts: |
|
Comments (none posted)
cdrecord: failure to drop privilege
| Package(s): | cdrecord |
CVE #(s): | CAN-2004-0806
|
| Created: | September 8, 2004 |
Updated: | February 21, 2005 |
| Description: |
The cdrecord utility, which is installed setuid on some distributions, fails to drop privilege before running a user-specified program. |
| Alerts: |
|
Comments (none posted)
cups: information leak
| Package(s): | cups |
CVE #(s): | CAN-2004-0923
|
| Created: | October 5, 2004 |
Updated: | October 14, 2004 |
| Description: |
CUPS has an information leakage problem when printing to SMB shares
requiring authentication. |
| Alerts: |
|
Comments (none posted)
cups: denial of service
| Package(s): | cups cupsys |
CVE #(s): | CAN-2004-0558
|
| Created: | September 15, 2004 |
Updated: | October 14, 2004 |
| Description: |
Versions of cups prior to 1.1.21 contain a denial of service vulnerability in their IPP implementation. A malicious UDP packet can cause cups to stop listening to the IPP port. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
flim: insecure file creation
| Package(s): | flim |
CVE #(s): | CAN-2004-0422
|
| Created: | May 5, 2004 |
Updated: | December 16, 2004 |
| Description: |
The emacs "flim" mode creates temporary files in an insecure fashion, possibly allowing a local attacker to overwrite files. |
| Alerts: |
|
Comments (none posted)
Foomatic: Arbitrary command execution in foomatic-rip
| Package(s): | foomatic |
CVE #(s): | CAN-2004-0801
|
| Created: | September 20, 2004 |
Updated: | May 31, 2006 |
| Description: |
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler. |
| Alerts: |
|
Comments (none posted)
freenet6: file protection problem
| Package(s): | freenet6 |
CVE #(s): | CAN-2004-0563
|
| Created: | September 30, 2004 |
Updated: | October 6, 2004 |
| Description: |
freenet6 has a protection problem which allows the username
and password to be read from a configuration file.
|
| Alerts: |
|
Comments (none posted)
FreeRADIUS: denial of service
| Package(s): | freeradius |
CVE #(s): | CAN-2004-0938
CAN-2004-0960
CAN-2004-0961
|
| Created: | September 22, 2004 |
Updated: | February 2, 2005 |
| Description: |
FreeRADIUS (through version 1.0.1) suffers from several denial of service vulnerabilities in its packet reception code. |
| Alerts: |
|
Comments (none posted)
Gaim: remote code execution vulnerability
| Package(s): | gaim |
CVE #(s): | CAN-2004-0500
|
| Created: | August 12, 2004 |
Updated: | October 18, 2004 |
| Description: |
The Gaim IRC client (versions 0.81 and prior) has a remote code execution vulnerability
in the MSN-protocol parsing functions. |
| Alerts: |
|
Comments (none posted)
gtk2, gdk-pixbuf: buffer overflows
| Package(s): | gdk-pixbuf gtk2 |
CVE #(s): | CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
|
| Created: | September 15, 2004 |
Updated: | February 25, 2005 |
| Description: |
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks. |
| Alerts: |
|
Comments (none posted)
glibc: Information leak with LD_DEBUG
| Package(s): | glibc |
CVE #(s): | CAN-2004-1453
|
| Created: | August 17, 2004 |
Updated: | May 26, 2005 |
| Description: |
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation. |
| Alerts: |
|
Comments (1 posted)
gnome-vfs: backend script vulnerabilities
| Package(s): | gnome-vfs |
CVE #(s): | CAN-2004-0494
|
| Created: | August 4, 2004 |
Updated: | February 21, 2005 |
| Description: |
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat. |
| Alerts: |
|
Comments (none posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
apache2: IPv6 denial of service
| Package(s): | httpd apache2 |
CVE #(s): | CAN-2004-0747
CAN-2004-0751
CAN-2004-0786
CAN-2004-0809
|
| Created: | September 15, 2004 |
Updated: | October 6, 2004 |
| Description: |
Apache2 contains an integer error in the apr_uri_parse() function when handling IPv6 addresses. The result is a code execution vulnerability on BSD systems, and a denial of service vulnerability under Linux. |
| Alerts: |
|
Comments (none posted)
imagemagick: buffer overflow vulnerability
| Package(s): | imagemagick |
CVE #(s): | CAN-2004-0827
|
| Created: | September 16, 2004 |
Updated: | November 30, 2004 |
| Description: |
The ImageMagick graphics library has several buffer overflow
vulnerabilities that allow an attacker to crash the reading process
by creating mal-formed video or image files in the AVI, BMP, or DIB format. |
| Alerts: |
|
Comments (none posted)
imlib2: buffer overflows
| Package(s): | imlib2 |
CVE #(s): | CAN-2004-0802
CAN-2004-0817
|
| Created: | September 8, 2004 |
Updated: | October 26, 2005 |
| Description: |
The imlib2 library contains buffer overflows in the BMP handling code. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kernel information leak
| Package(s): | kernel |
CVE #(s): | CAN-2004-0415
|
| Created: | August 3, 2004 |
Updated: | October 26, 2004 |
| Description: |
Paul Starzetz discovered
flaws in the Linux kernel when handling file
offset pointers. These consist of invalid conversions of 64 to 32-bit file
offset pointers and possible race conditions. A local unprivileged user
could make use of these flaws to access large portions of kernel memory.
Note that this vulnerability affects all 2.4 kernels through 2.4.26 and 2.6 kernels through 2.6.7.
A fix for this problem was added to the fifth
2.4.27 release candidate. |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lha: stack-based buffer overflow
| Package(s): | lha |
CVE #(s): | CAN-2004-0769
CAN-2004-0771
CAN-2004-0694
CAN-2004-0745
|
| Created: | September 2, 2004 |
Updated: | October 14, 2004 |
| Description: |
The lha archiving and compression utility has a
stack-based buffer overflow vulnerability. A modified
archive could allow an attacker to execute code when a victim
extracts or test the archive. |
| Alerts: |
|
Comments (none posted)
libpng: multiple vulnerabilities
Comments (1 posted)
libxpm4: stack and integer overflows
| Package(s): | libxpm4 |
CVE #(s): | CAN-2004-0687
CAN-2004-0688
|
| Created: | September 16, 2004 |
Updated: | February 14, 2005 |
| Description: |
There are several stack and integer overflow bugs in
the libXpm code of XFree86 that may be used for a denial of service. |
| Alerts: |
|
Comments (none posted)
logcheck: symlink vulnerability
| Package(s): | logcheck |
CVE #(s): | CAN-2004-0404
|
| Created: | April 21, 2004 |
Updated: | December 22, 2004 |
| Description: |
The logcheck utility handles temporary files in an unsafe way, possibly allowing local attackers to overwrite files. |
| Alerts: |
|
Comments (none posted)
Midnight Commander: extfs vfs vulnerability
| Package(s): | mc |
CVE #(s): | CAN-2004-0494
|
| Created: | September 2, 2004 |
Updated: | January 5, 2005 |
| Description: |
Midnight Commander has a vfs vulnerability with shell quoting
in extfs perl scripts. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mozilla products: arbitrary code execution and other vulnerabilities
| Package(s): | mozilla firefox thunderbird |
CVE #(s): | CAN-2004-0902
CAN-2004-0903
CAN-2004-0904
CAN-2004-0905
CAN-2004-0908
|
| Created: | September 20, 2004 |
Updated: | January 13, 2005 |
| Description: |
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg123: buffer overflow bug
| Package(s): | mpg123 |
CVE #(s): | CAN-2004-0805
|
| Created: | September 16, 2004 |
Updated: | January 11, 2005 |
| Description: |
The mpg123 audio playing utility has a buffer overflow
bug that may allow arbitrary execution of code. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
net-acct: temporary file vulnerability
| Package(s): | net-acct |
CVE #(s): | CAN-2004-0851
|
| Created: | October 6, 2004 |
Updated: | October 6, 2004 |
| Description: |
Net-acct (an IP accounting daemon) version 0.71 suffers from a temporary file vulnerability. |
| Alerts: |
|
Comments (none posted)
netkit-telnet: invalid free pointer
| Package(s): | netkit-telnet |
CVE #(s): | CAN-2004-0911
|
| Created: | October 4, 2004 |
Updated: | March 28, 2005 |
| Description: |
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user). |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
OpenOffice: information disclosure
| Package(s): | openoffice.org |
CVE #(s): | CAN-2004-0752
|
| Created: | September 15, 2004 |
Updated: | October 20, 2004 |
| Description: |
OpenOffice.org contains a temporary file handling vulnerability which can allow one local user to read the contents of another user's open files. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
OpenSSL: denial of service vulnerabilities
Comments (1 posted)
pavuk: buffer overflow
| Package(s): | pavuk |
CVE #(s): | CAN-2004-0456
|
| Created: | June 30, 2004 |
Updated: | November 11, 2004 |
| Description: |
Versions of the pavuk web spider through 0.9.28-r1 contain a buffer overflow which could be exploited by a hostile server. |
| Alerts: |
|
Comments (none posted)
php: remotely exploitable memory errors
| Package(s): | php |
CVE #(s): | CAN-2004-0594
|
| Created: | July 14, 2004 |
Updated: | February 7, 2005 |
| Description: |
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not). |
| Alerts: |
|
Comments (none posted)
php: information disclosure and file upload vulnerabilities
| Package(s): | php |
CVE #(s): | |
| Created: | October 6, 2004 |
Updated: | October 6, 2004 |
| Description: |
Versions of PHP prior to 4.3.9 suffer from vulnerabilities which can disclose the contents of random memory to an attacker and allow uploads of files to any location writable by the web server. |
| Alerts: |
|
Comments (none posted)
PuTTY: pre-authentication arbitrary code execution problem
| Package(s): | putty |
CVE #(s): | |
| Created: | August 5, 2004 |
Updated: | October 28, 2004 |
| Description: |
PuTTY, a telnet and SSH client, contains a vulnerability that
can allow an SSH server to execute arbitrary code on a connecting client.
|
| Alerts: |
|
Comments (none posted)
python: buffer overflow
| Package(s): | python |
CVE #(s): | CAN-2004-0150
|
| Created: | March 10, 2004 |
Updated: | October 11, 2004 |
| Description: |
Python (versions 2.2 and 2.2.1 only) has a buffer overflow in the getaddrinfo() function which can be exploited by a malformed IPv6 address. |
| Alerts: |
|
Comments (none posted)
qt3: BMP image parser heap overflow
| Package(s): | qt3/qt3-non-mt/qt3-32bit/qt3-static |
CVE #(s): | CAN-2004-0691
CAN-2004-0692
CAN-2004-0693
|
| Created: | August 19, 2004 |
Updated: | May 15, 2005 |
| Description: |
A heap overflow in the qt3 BMP image format parser in Qt versions prior to 3.3.3 may allow remote code execution. |
| Alerts: |
|
Comments (none posted)
rp-pppoe, pppoe: missing privilege dropping
| Package(s): | rp-pppoe, pppoe |
CVE #(s): | CAN-2004-0564
|
| Created: | October 4, 2004 |
Updated: | November 14, 2005 |
| Description: |
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system. |
| Alerts: |
|
Comments (none posted)
rsync: path-sanitizing bug
| Package(s): | rsync |
CVE #(s): | CAN-2004-0792
|
| Created: | August 16, 2004 |
Updated: | November 1, 2004 |
| Description: |
This August 2004 rsync
advisory reports that there is a path-sanitizing bug that affects
daemon mode in all recent rsync versions (including 2.6.2) but only if
chroot is disabled. It does NOT affect the normal send/receive filenames
that specify what files should be transferred (this is because these names
happen to get sanitized twice, and thus the second call removes any
lingering leading slash(es) that the first call left behind). It does
affect certain option paths that cause auxilliary files to be read or
written. |
| Alerts: |
|
