This week's "new vulnerabilities" section is somewhat longer than usual; a
rather large number of packages have been revealed to have
vulnerabilities. This surge in updates is a result of the posting of 44 vulnerabilities found by
students in a security class taught by Daniel J. Bernstein.
There is no doubt that Mr. Bernstein has done us a favor by having his
students find these problems, and by disclosing them. With luck, he is
also teaching his students to avoid the creation of such vulnerabilities.
Not everybody is pleased with how the problems were disclosed, however.
The usual, accepted technique is to alert the maintainer of the affected
software first, and to give them a bit of time in which to prepare and
distribute a patch. In this way, the full, public disclosure of the
vulnerability can be accompanied by an update.
That was not the path followed by Mr. Bernstein; instead, he opted to
dispense with the prior notification to the maintainer, and to simply disclose the
vulnerabilities publicly from the outset. The result has been a major
scramble on the parts of maintainers and distributors who have found
themselves trying to deal with a large pile of problems which have already
been broadcast to the world.
Mr. Bernstein is not known for being apologetic in general, and he
certainly was not in this case. In fact, he regretted that it took the reports one day to
make it to Bugtraq: "It certainly wasn't my intention to give the
authors an extra day of self-delusion." In a
different discussion he has made his opinion clear:
On the contrary. Immediate full disclosure, with a working exploit,
punishes the programmer for his bad code. He panics; he has to rush
to fix the problem; he loses users.
You're whining that punishment is painful. You're ignoring the effect
that punishment has on future behavior. It encourages programmers to
invest the time and effort necessary to eliminate security problems.
So, it seems, the real solution to security problems is to punish
programmers who release insecure code. There could be something to be said
for this point of view: programmers who have been burned in this way might
well find themselves inspired to pay more attention the next time around.
The unfortunate side effects of immediate disclosure, however, include the
punishment of users and distributors, and the possible creation of rushed,
inadequate fixes. Compassion for people - other than the original
developer - who are affected by vulnerabilities might suggest that allowing
the developer to prepare a fix prior to disclosure might be the better
approach.
The phpBB bulletin board package contains an input validation problem which
can allow the hosting site to be compromised. This vulnerability is being
actively exploited, and there is apparently a worm in circulation as well.
Click below to read the CERT advisory this problem; upgrading to version
2.0.11 fixes the problem.
Limin Wang has located a buffer overflow inside the put_words()
function in the abcm2ps code. A remote attacker could convince the victim
to download a specially-crafted ABC file. Upon execution, this file would
trigger the buffer overflow and lead to the execution of arbitrary code
with the permissions of the user running abcm2ps.
Javier Fernández-Sanguino Peña discovered that the auxiliary scripts
"eqn2graph" and "pic2graph" created temporary files in an insecure
way, which allowed exploitation of a race condition to create or
overwrite files with the privileges of the user invoking the program.
"infamous41md" discovered a buffer overflow in htget, a file grabber
that will get files from HTTP servers. It is possible to overflow a
buffer and execute arbitrary code by accessing a malicious URL.
Konqueror has a window injection vulnerability that allows
remote attackers to spoof arbitrary web sites by injecting content
from one window into another.
There is a buffer overflow in the password history handling code of
libkadm5srv which could be exploited by an authenticated user to execute
arbitrary code on a Key Distribution Center (KDC) server.
Bartlomiej Sieka discovered that mpg123 contains an unsafe strcat() to an
array in playlist.c. This code vulnerability may lead to a buffer
overflow. A remote attacker could craft a malicious playlist which, when
used, would result in the execution of arbitrary code with the rights of
the user running mpg123. See this advisory for
more information.
Jonathan Rockway discovered that NASM-0.98.38 has an unprotected
vsprintf() to an array in preproc.c. This code vulnerability may lead
to a buffer overflow and potential execution of arbitrary code.
A race condition and possible information leak has been discovered in
Perl's File::Path::rmtree(). This function changes the permission of files
and directories before removing them to avoid problems with wrong
permissions. However, they were made readable and writable not only for the
owner, but for the entire world, which opened a race condition and a
possible information leak (if the actual removal of a file/directory failed
for some reason).
PHP has an out of bounds memory write access vulnerability and
an integer overflow/underflow problem. See the PHP 4.3.10 Release Announcement for details.
Nicolas Gregoire (exaprobe.com) has discovered two vulnerabilities that
exist only on a webserver where PHP safe_mode is off. These vulnerabilities
could lead to command execution or file disclosure. See
PHPMyAdmin advisory: PMASA-2004-4 for details.
Several buffer overflows have been discovered in xine-lib, the video/audio
codec library for Xine frontends (xine-ui, totem-xine, kaffeine, and
others). If an attacker tricked a user into loading a malicious RTSP stream
or a stream with specially crafted AIFF audio or PNM image data, they could
exploit this to execute arbitrary code with the privileges of the user
opening the audio/video file. See this advisory
for more information.
Luke "infamous41md" discovered multiple vulnerabilities in xzgv, a picture
viewer for X11 with a thumbnail-based selector. Remote exploitation of an
integer overflow vulnerability could allow the execution of arbitrary
code.
Due to improper input validation, Zwiki can be exploited to perform
cross-site scripting attacks. By enticing a user to read a
specially-crafted wiki entry, an attacker can execute arbitrary script code
running in the context of the victim's browser.
The GNU a2ps utility fails to properly sanitize filenames, which can be
abused by a malicious user to execute arbitrary commands with the
privileges of the user running the vulnerable application. More
information at Security
Focus.
Aspell's word-list-compress utility fails to properly check bounds
when dealing with words that are more than 256 bytes long.
This can lead to arbitrary code execution by an attacker.
cyrus-sasl has a vulnerability involving a buffer overflow
in the digestmda5.c file. A remote attacker may be able
to compromise the system. Also, a local user may be able to
exploit a vulnerability by using the SASL_PATH environment
variable.
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible.
There is a vulnerability in the foomatic-filters package. This
vulnerability is due to insufficient checking of command-line parameters
and environment variables in the foomatic-rip filter. This vulnerability
may allow both local and remote attackers to execute arbitrary commands on
the print server with the permissions of the spooler.
A buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows
remote attackers to cause a denial of service (application crash) and
possibly execute arbitrary code via an "unexpected sequence of MSNSLP
messages" that results in an unbounded copy operation that writes to the
wrong buffer.
Jim Paris has discovered a cross-site scripting vulnerability in
Gallery. By sending a carefully crafted URL, an attacker can inject and
execute script code in the victim's browser window, and potentially
compromise the users gallery.
The gdk-pixbuf and gtk2 libraries contain vulnerabilities in their handling of BMP and XPM files which can lead to denial of service and, potentially, code execution attacks.
gettext insecurely creates temporary files in world-writeable directories
with predictable names. A local attacker could create symbolic links in
the temporary files directory, pointing to a valid file somewhere on the
filesystem. When gettext is called, this would result in file access with
the rights of the user running the utility, which could be the root user.
Silvio Cesare discovered a potential information leak in glibc. It allows
LD_DEBUG on SUID binaries where it should not be allowed. This has various
security implications, which may be used to gain confidential information.
An attacker can gain the list of symbols a SUID application uses and their
locations and can then use a trojaned library taking precedence over those
symbols to gain information or perform further exploitation.
The catchsegv script in the glibc package has a symlink vulnerability
that may allow a local user to overwrite arbitrary
files with the permissions of the user that is running the script.
Several scripts packaged with gnome-vfs, using its "extfs" capability, have security flaws. These scripts tend not to be used on many systems, but their presence can still be a threat.
Recently, Trustix Secure Linux discovered a vulnerability in the groff
package. The utility "groffer" created a temporary directory in an
insecure way, which allowed exploitation of a race condition to create
or overwrite files with the privileges of the user invoking the
program.
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash.
Pavel Kankovsky discovered that several overflows found in the libXpm
library also applied to imlib. He also fixed a number of other potential
flaws. A remote attacker could entice a user to view a carefully-crafted
image file, which would potentially lead to execution of arbitrary code
with the rights of the user viewing the image. This affects any program
that makes use of the imlib library.
Faheem Mitha noticed that the iptables command, an administration tool for
IPv4 packet filtering and NAT, did not always load the required modules on
its own as it was supposed to. This could lead to firewall rules not being
loaded on system startup. This caused a failure in connection with rules
provided by lokkit at least.
Paul Starzetz has discovered a new pair of kernel vulnerabilities. The IGMP code suffers from input validation and integer overflow vulnerabilities which could be remotely exploitable, and the socket function __scm_send()has a local denial of service vulnerability.
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
Several buffer overflows have been discovered in libgd's PNG handling
functions.
If an attacker tricked a user into loading a malicious PNG image, they
could leverage this into executing arbitrary code in the context of
the user opening image. Most importantly, this library is commonly
used in PHP. One possible target would be a PHP driven photo website
that lets users upload images. Therefore this vulnerability might lead
to privilege escalation to a web server's privileges.
Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and
earlier may allow remote attackers to execute arbitrary code via malformed
image files that trigger the overflows due to improper calls to the
gdMalloc function.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When fetching a remote resource via FTP or HTTP, libxml2 uses special
parsing routines. These routines can overflow a buffer if passed a very
long URL. If an attacker is able to find an application using libxml2 that
parses remote resources and allows them to influence the URL, then this
flaw could be used to execute arbitrary code.
libxml2 prior to version 2.6.14 has multiple buffer overflow
vulnerabilities, if a local user passes a specially crafted
FTP URL, arbitrary code may be executed.
Trustix Secure Linux discovered a vulnerability in a supplemental script of
the lvm10 package. The program "lvmcreate_initrd" created a temporary
directory in an insecure way, which could allow a symlink attack to create
or overwrite arbitrary files with the privileges of the user invoking the
program.
Several vulnerabilities exist in the Mozilla web browser and derived
products, the most serious of which could allow a remote attacker to
execute arbitrary code on an affected system. See the CERT advisory for details.
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming).
Several problems have been discovered in MySQL. Oleksandr Byelkin noticed
that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the old table
instead of the new one. (CAN-2004-0835) Lukasz Wojtow noticed a buffer
overrun in the mysql_real_connect function. (CAN-2004-0836) Dean Ellis
noticed that multiple threads ALTERing the same (or different) MERGE tables
to change the UNION can cause the server to crash or stall. (CAN-2004-0837)
Michal Zalewski discovered a bug in the netkit-telnet server (telnetd)
whereby a remote attacker could cause the telnetd process to free an
invalid pointer. This causes the telnet server process to crash, leading
to a straightforward denial of service (inetd will disable the service if
telnetd is crashed repeatedly), or possibly the execution of arbitrary code
with the privileges of the telnetd process (by default, the 'telnetd'
user).
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool.
The der_chop script in openssl has a temp file vulnerability that may allow
an attacker to overwrite arbitrary files with the permissions that
the script is running under.
Stefan Esser has issued an advisory regarding a
remotely exploitable hole in PHP (through version 4.3.7). If the
memory_limit feature is in use (as it should be, to prevent denial
of service attacks), allocation failures can be forced at highly
inopportune times, and those failures can be exploited to execute arbitrary
code. The exploit is described as "quite easy," and it can be done
regardless of whether Apache1 or Apache2 is in use. Upgrading to PHP 4.3.8 fixes the
problem; yesterday's PHP 5.0 release also contains the fix (but the
final release candidate did not).
The make_oidjoins_check script insecurely creates temporary files in
world-writeable directories with predictable names. A local attacker could
create symbolic links in the temporary files directory, pointing to a valid
file somewhere on the filesystem. When make_oidjoins_check is called, this
would result in file overwrite with the rights of the user running the
utility, which could be the root user.
ProZilla contains several exploitable buffer overflows in the code handling
the network protocols. A remote attacker could setup a malicious server
and entice a user to retrieve files from that server using ProZilla. This
could lead to the execution of arbitrary code with the rights of the user
running ProZilla.
Max Vozeler discovered a vulnerability in pppoe, the PPP over Ethernet
driver from Roaring Penguin. When the program is running setuid root
(which is not the case in a default Debian installation), an attacker
could overwrite any file on the file system.
The upstream developers of Ruby have corrected a problem in the CGI
module for this language. Specially crafted requests could cause an
infinite loop and thus cause the program to eat up cpu cycles.
sharutils contains two buffer overflows. Ulf Harnhammar discovered a buffer
overflow in shar.c, where the length of data returned by the wc command is
not checked. Florian Schilhabel discovered another buffer overflow in
unshar.c. An attacker could exploit these vulnerabilities to execute
arbitrary code as the user running one of the sharutils programs.
SpamAssassin contains an unspecified Denial of Service vulnerability. By
sending a specially crafted message an attacker could cause a Denial of
Service attack against the SpamAssassin service.
Subversion has a remote Denial of Service vulnerability
that may allow a server that runs svnserve to execute
arbitrary code. See this advisory for more information.
Versions of sudo prior to 1.6.8p2 fail to properly sanitize the environment prior to running shell scripts; this failure can be exploited by a sudo user to subvert scripts and obtain shell access. See the 1.6.8p2 announcement for more information.
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability.
The tiff library contains several buffer overflows which may be exploited
by way of maliciously-crafted image files. See this advisory for more information.
The unarj uncompression utility has a buffer overflow vulnerability
from handling long file names in an archive. An attacker can
cause unarj to crash or execute arbitrary code.
Hajvan Sehic discovered several vulnerabilities in viewcvs, a utility
for viewing CVS and Subversion repositories via HTTP. When exporting
a repository as a tar archive the hide_cvsroot and forbidden settings
were not honored.
A new set of modeline-related vulnerabilities has been discovered in versions of vim prior to 6.3-r2. These vulnerabilities could conceivably be exploited by a local user to obtain the privileges of another user.
WordPress: HTTP response splitting and XSS vulnerabilities
Package(s):
wordpress
CVE #(s):
Created:
October 14, 2004
Updated:
December 20, 2004
Description:
WordPress is vulnerable to HTTP response splitting and cross-site scripting
attacks, due to the lack of input validation in the administration panel
scripts. A malicious user could inject arbitrary response data, leading to
content spoofing, web cache poisoning and other cross-site scripting or
HTTP response splitting attacks. This could result in compromising the
victim's data or browser.
XChat is vulnerable to a stack overflow that may allow a remote attacker to
run arbitrary code. The SOCKS 5 proxy code in XChat is vulnerable to a
remote exploit. Users would have to be using XChat through a SOCKS 5
server, enable SOCKS 5 traversal which is disabled by default and also
connect to an attacker's custom proxy server. This vulnerability may allow
an attacker to run arbitrary code within the context of the user ID of the
XChat client.
Shaun Colley discovered a problem in xine-ui, the xine video player
user interface. A script contained in the package to possibly remedy
a problem or report a bug does not create temporary files in a secure
fashion. This could allow a local attacker to overwrite files with
the privileges of the user invoking xine.
Several xpdf integer overflow vulnerabilities can be exploited via a
mal-formed PDF document. Similar vulnerabilities can be found in kpdf and
in cupsys which share code. Additional information can be found in this KDE security advisory.
HexView discovered a buffer overflow in the zip package. The overflow is
triggered by creating a ZIP archive of files with very long path
names. This vulnerability might result in execution of arbitrary code with
the privileges of the user who calls zip. This flaw may lead to privilege
escalation on systems which automatically create ZIP archives of user
supplied files, like backup systems or web applications.
