The trojaning of mICQ
The story, it seems, is this: Rüdiger Kuhlmann, the maintainer of
mICQ, had a disagreement with Martin
Loschwitz, the maintainer of the Debian mICQ package, on how that package
should be built. Mr. Kuhlmann complained that an old version of mICQ was
shipped, that it contained bugs which had been fixed upstream, and that his
name had been removed from the copyright file. The disagreement had
apparently been going on for a while.
Mr. Kuhlmann decided that enough was enough, and he was going to take some
action. As of mICQ 0.4.10.1, the code will, when built for the Debian
distribution, print out a message which says some unflattering things about
Mr. Loschwitz and encourages use of a different version; the program then
exits. In other words, when built for Debian, mICQ thumbs its nose at the
user and refuses to run. To help ensure
that this code got into the official Debian version, it was written in an
obfuscated manner, set to trigger only after February 11, and only if
it was not being run by Mr. Loschwitz. For the curious, here is a posting containing the code in question.
In response, Mr. Loschwitz called for the
removal of mICQ from the Debian distribution and started a generally
impressive flamewar. After some time, the two parties actually started
talking to each other; summaries from Mr. Kuhlmann and Mr. Loschwitz have been posted. The resolution
involves fixing the packaging issues and the removal of the anti-Debian
code. The mICQ package will also be removed from Debian until a security
audit is performed and a new maintainer is found. The situation would
appear to have been resolved.
The whole thing has, however, left a bad taste in the mouths of many Debian
developers.
According to some, Debian was subjected to a trojan horse/denial of service
attack, and they are not happy about it. Mr. Kuhlmann denies this, of
course ("In fact, I only added dead code. It was you who #ifdef'd it
in - not knowingly, but anyway."), but this code, even described in
more friendly terms ("easter egg," say), is the sort of thing that does not
often happen in the free software world. Free software users like to think
they have a bit more control over their systems than that.
(It's not completely unheard of, though - GNU emacs used to greet
Symbolics users with the message "In doing business with Symbolics, you are
rewarding a wrong.")
Much of the discussion was concerned with what Mr. Kuhlmann could
have done with this piece of stealth code. Such speculation is a bit
off-topic, given that, as far as anybody can tell, there are no evil or
destructive trojans coded into mICQ. In the context of a wider discussion,
however, this episode does raise a scary issue. The mICQ code was slipped
into a major distribution, seemingly with great ease. The code was
relatively harmless, but, next time, it might not be. Access to source
code decreases our vulnerability to this sort of attack; proprietary
software, after all, can have anything in it. It is hard to imagine
anybody being able to hide a flight simulator inside a free spreadsheet
application. But anybody who believes that having the source makes us
invulnerable to this kind of trojan is clearly mistaken. With suitably
clever coding, great nastiness can be hidden in seemingly innocuous code.
The resources to audit all of our code at the level of detail required to
find small trojans simply don't exist.
Perhaps, in the future, tools like the Stanford Checker can be turned to
the task of finding suspicious code in source distributions. For now,
though, we have to remain on our guard. This kind of thing will
happen again, and, next time, the results may not be so benign.
Comments (14 posted)
The Embedded Linux Consortium Platform Specification
The Embedded Linux Consortium has
announced the
launch of the ELC Platform Specification (ELCPS). The ELCPS was developed
with input from numerous companies including IBM, LynuxWorks, Panasonic,
Samsung, MontaVista, K Computing, Red Hat, WiPro, Hacom, and FSM Labs; its
purpose is to encourage interoperability across embedded Linux systems.
Those wanting the details can grab a copy of the specification
in PDF format; for everybody else, here is a
quick summary of what the ELCPS is trying to do.
The ELCPS is heavily influenced by the Linux Standard Base, POSIX, and the
Single Unix Specification. However, it restricts itself to the programming
environment (and, in particular, to which functions should be available)
and is not concerned with the user experience side of things. It is
assumed that the user of an embedded system will not be worried about which
shells are available.
Of course, not all embedded systems are the same; the capabilities needed
by a web-enabled phone handset or point of sale system will be different
from, say, an elevator controller. So the ELCPS defines three levels of
environment, each of which has different requirements.
- The minimal system environment is the bottom end; systems
running in this mode may not deal directly with users, and may not
even need a filesystem. ELCPS-compliant systems at this level should
provide the basic C environment, signals, basic locking, and threads -
but they do not necessarily have to be able to run more than one
process.
- The intermediate system environment adds several things,
including filesystem support, asynchronous I/O, dynamic libraries,
multiple processes, inter-process communication, wide character
support, and more.
- The full system environment is "essentially equivalent to
a LSB 1.2 system," except that there is still no specification of
which programs should be available. At this level, the environment
should provide full floating-point math support, job control,
networking, basic shell functions, system logging, password functions,
and so on.
There are a couple of interesting omissions from the first version of the
ELCPS. One is in the area of real-time programming. According to the
specification, there is no clear standard for real-time programming in the
Linux world. The LSB does not specify real-time functionality, and the
POSIX real-time standards are still in flux. The specification makes no
mention of the fact that serious real-time Linux programming tends to be
done by way of RTLinux or RTAI, neither of which is standard in any way,
but that situation has to have discouraged attempts to standardize
real-time Linux functionality as well.
The specification also had to punt on thread support, since real POSIX
threads implementations for Linux are still hard to come by. That
situation should be rectified when the 2.6 kernel, with its greatly
improved threading support, becomes available.
The Embedded Linux Consortium will eventually set up a certification
program for ELCPS compliance.
The ELCPS is another sign that the embedded Linux community (and Linux in
general) is growing up. Embedded Linux, in particular, has been subject to
the sort of fragmentation that creates worry among technology pundits and
corporate managers; the ELCPS should help those people to worry a bit less.
By using embedded Linux, manufacturers are already
able to free themselves from proprietary platforms and royalty payments.
The ELCPS should make these manufacturers more confident that they will not
find themselves locked into a single vendor. And that, of course, should
be good for the Embedded Linux market as a whole.
Comments (3 posted)
Lindows sells virus protection
Lindows.com has
announced a new offering for
its distribution: for $29/year, Lindows users can run the new "VirusSafe"
utility which protects the system from viruses. It seems like a reasonable
product: other desktop systems have had anti-virus applications for
years. And, apparently, virus protection is at the top of the list of
features requested by Lindows users.
There's only one problem: Linux viruses are rather hard to find. In fact,
the list of "in the wild" Linux viruses that have actually infected systems
is short - there are none. The case of SirCam infection via
Wine is, if anything, the exception that proves the rule. It
demonstrates how far one has to go to infect a Linux system - and, even
then, the virus was not able to propagate.
A Linux-based virus is not impossible; one could imagine, say, a hostile
email message which, taking advantage of a fetchmail buffer overflow,
managed to spread itself over the net. But the fact is that this sort of
thing simply does not happen. Linux systems are harder to break into, and
they are better at containing the effects of breaches that do occur. When
a program is found to allow unpleasant things like arbitrary command
execution (as in the recent vim modeline
vulnerability), it gets fixed in a hurry rather than being presented as
a feature.
So we thought it might be worthwhile to ask Lindows exactly what it is
defending its users against. What virus (or other) infections would have
been presented by running VirusSafe on a target system? Unfortunately,
Lindows did not respond to repeated inquiries, so we are left having to
guess.
Lindows, perhaps, is defending its users against the fear of running
systems without virus scanners installed. It is difficult to explain to
users why they probably do not need explicit virus protection; and,
besides, it seems they are willing to pay for that protection whether they
need it or not. As a business plan, it may make some sense - as long as
you don't mind selling your customers something they almost certainly do
not need.
Comments (24 posted)
Page editor: Jonathan Corbet
Security
Security news
The National Strategy to Secure Cyberspace
[This article was contributed by Tom Owen]
The Friday
release
of the
National Strategy to Secure Cyberspace
may have been overshadowed by the recent
departure of
Richard Clarke,
President Bush's
Cybersecurity advisor.
It certainly didn't get a big build up.
But now we have the "final" version of what will doubtless be a continuously
evolving strategy.
The draft released in September generated apathy and dismissal
after widespread unsourced reports of tech firms lobbying to remove references
to insecure "out of the box" configurations and wireless hazards.
The biggest change over the draft is external: the Department of Homeland
Security (DHS) now exists,
with a budget and a head, and by far the majority of the action items fall on it.
The strategic objective is clear:
It is the policy of the United States to
prevent or minimize disruptions to critical information infrastructures and
thereby protect
the people,
the economy,
the essential human and government services,
and the national security of the United States.
as is the purpose of the document:
The purpose of this document is to engage and empower Americans to secure the
portions of cyberspace that they own, operate, control, or with which they
interact.
The core of the strategy is the five
national priorities
- A security response system
- A threat & vulnerability reduction system
- A Security awareness and training program
- Security within government operations
- National and International security co-operation
Within the strategy, each priority generates five to fifteen actions and
recommendations.
The actions typically fall on the federal government,
typically the DHS or the United States generally,
while the recomendations are for the private sector and academia.
Some consistent themes inform the discussion of all priorities:
- The threat is real: the US depends on the integrity of cyberspace, and
that integrity can now be undone by enemies.
- Most of what's needed is outside the scope of Government:
beyond protecting its own operations and the commons,
the work has to be done by corporations, colleges and the public.
- Public and private can, must, work together
- Privacy and liberty must be protected.
It's not that prominent, but it's a pleasant surprise to see it at all.
Regarding the called-for national security response system:
The National Cyberspace Security Response System will
involve public and private institutions and cyber centers
to perform analysis,
conduct watch and warning activities,
enable information exchange,
and facilitate restoration efforts.
The plan appears to be mandating DHS to co-ordinate between Government
agencies, and academic and private sector agents.
Obvious candidates would include CERT, the AV vendors' labs, disaster recovery
providers and perhaps operators like Bugtraq.
The challenge is twofold.
Firstly, to co-ordinate their work on attacks and vulnerabilities, before and
even -- using fax, conferencing and and voicemail -- during an attack,
and secondly, to ensure that the private sector is using the resources created.
It appears that there will be an effort to remove antitrust obstacles to this
co-operation.
Responding to security incidents is important, but so is preventing those
incidents before they happen.
The strategy asks private and government agencies to communicate better to
find and protect against potential problems. Even before the recent
"Slammer" worm, others like Nimda and
Code Red had made it clear that threats, once released, spread faster than
fixes.
So it is important to find and fix vulnerabilities before they are
exploited.
One stand out point is a clear intention to use criminal justice more
aggressively: this might be a good time to stop writing stupid viruses for
fun.
The strategy gets more specific here. Examples of the work planned include
- Improving infrastructure: the Commerce Deptartment's review of a national
transition to IPv6 and the DHS's intention to bang heads together to get
progress on securing DNS and BGP,
together with longer term efforts to to add source address verification and
secure out-of-band management to the Internet
- Securing plant and equipment control networks to exclude terrorists from
air-traffic control, dams and chemical plants.
- Addressing software vulnerabilities: establishing a neutral clearinghouse,
with, interestingly, a national policy defining appropriate vulnerability
disclosure, central testing for patches to Government systems, and promotion
of tools and best practice for patch distribution.
Then, there is the call for a national security awareness and training
program.
This priority addresses a slightly broader range than most.
The traditional targets for security training: users, admins and developers,
are there, but the plan goes further:
Many information-system vulnerabilities exist
because of a lack of cyberspace security
awareness on the part of ...
procurement officials, auditors, chief information
officers, chief executive officers, and
corporate boards.
Getting these people trained is not going to be easy.
School curricula, awareness programs and certification and the other plan
items can reach professionals and users, but getting informed discussion
between corporate policymakers at the country club will take something more --
there may be a role for the insurers here.
Of course, the government must also worry about cleaning up its own act, so
it is not surprising to see internal security as an important part of this
plan.
The plan in this area is
blandly conventional, revealing that government practice is no better
than the private sector.
One of the few mentions of a specific technology, wireless, occurs under this
heading.
The last item (national and international security coordination) seems like
a bland commitment to improve international
co-operation, encouraging foreign countries to achieve effective criminal law
and participate in information-sharing programs. But early on comes this
jaw-dropper:
When a nation, terrorist group, or other adversary
attacks the United States through cyberspace, the
U.S. response need not be limited to criminal prosecution.
The United States reserves the right to
respond in an appropriate manner.
The strategy doesn't expand on this point, and responsibility for that
action falls on no specific agency,
but when it happens, it'll be on the evening news.
Given the source, the document as a whole is at least as good as could have
been hoped.
Part of the value comes from what's left out:
- Theres no hysteria about encryption or crackers
- No plan to wall off the US and unplug those nasty foreigners
- No dramatic legislative program
- No mandation or prohibition of specific technologies and vendors
High-level strategic planning can be used to hide a lot of vagueness and
unreality,
as the broad scope needed in the language and objectives makes it hard to
visualise what is intended.
This hasn't happened here.
The Department of Homeland Security's interest in the network comes into
clearer focus.
Some of the organisations and networks which will protect cyberspace are
making their first appearance here.
And we can see that some people are asking the right questions.
Comments (1 posted)
February CRYPTO-GRAM Newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for February is out. It looks at
Matt Blaze's lock-picking disclosure (and the reaction to it), SQL Slammer
worm notes, the importance of authentication, and more.
"
I'd rather have as much information as I can to make an informed
decision about security. I'd rather have the information I need to
pressure vendors to improve security. I don't want to live in a world
where locksmiths can sell me a master key system that they know doesn't
work or where the government can implement security measures without
accountability."
Full Story (comments: none)
New vulnerabilities
mailman: mailman 2.1 cross site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | |
| Created: | February 17, 2003 |
Updated: | February 19, 2003 |
| Description: |
The email variable and the default error page in mailman 2.1 contains
cross site scripting vulnerabilities.
Read the the full advisory for the details.
|
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
OpenSSL: plaintext exposure vulnerability
| Package(s): | openssl |
CVE #(s): | CAN-2003-0078
|
| Created: | February 19, 2003 |
Updated: | March 6, 2003 |
| Description: |
A vulnerability has been found in OpenSSL that, given the right conditions,
could lead to the exposure of transactions in plain text. This problem
looks difficult to exploit (it requires a man-in-the-middle attack, among
other things), but one can't be too sure, so the OpenSSL project has
released versions 0.9.7a (with the fix and some new features) and 0.9.6i
(with fixes only). See the announcement for details. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
php: arbitrary file access and code execution
| Package(s): | php, mod_php |
CVE #(s): | |
| Created: | February 18, 2003 |
Updated: | February 19, 2003 |
| Description: |
Kosmas Skiadopoulos discovered a serious security vulnerability [0] in the
CGI SAPI of PHP version 4.3.0. PHP [1] contains code for preventing direct
access to the CGI binary with configure option
"--enable-force-cgi-redirect" and php.ini option "cgi.force_redirect". In
PHP 4.3.0 there is a bug which renders these options useless. Please note
that this bug does NOT affect any of the other SAPI modules such as the
Apache or ISAPI modules.
Anyone with access to websites hosted on a web server which employs the CGI
module may exploit this vulnerability to gain access to any file readable
by the user under which the webserver runs. A remote attacker could also
trick PHP into executing arbitrary PHP code if attacker is able to inject
the code into files accessible by the CGI. This could be for example the
web server access-logs.
References:
[0]
http://www.php.net/release_4_3_1.php
[1] http://www.php.net/ |
| Alerts: |
|
Comments (none posted)
syslinux: security issues in installer
| Package(s): | syslinux |
CVE #(s): | |
| Created: | February 18, 2003 |
Updated: | February 19, 2003 |
| Description: |
From the syslinux changelog:
"Security flaws have been found in the SYSLINUX installer when running
setuid root. Rewrite the SYSLINUX installer so it uses mtools instead.
It therefore now requires mtools (specifically mcopy and mattrib) to
exist on your system, but it will not require root privileges and
SHOULD NOT be setuid." |
| Alerts: |
|
Comments (none posted)
util-linux: predictable mcookie results
| Package(s): | util-linux |
CVE #(s): | |
| Created: | February 14, 2003 |
Updated: | February 19, 2003 |
| Description: |
The util-linux package provides the mcookie utility, a tool for
generating random cookies that can be used for X authentication. The
util-linux packages that were distributed with Mandrake Linux 8.2 and
9.0 had a patch that made it use /dev/urandom instead of /dev/random,
which resulted in the mcookie being more predictable than it would
otherwise be. This patch has been removed in these updates, giving
mcookie a better source of entropy and making the generated cookies
less predictable. Thanks to Dirk Mueller for pointing this out. |
| Alerts: |
|
Comments (2 posted)
Updated vulnerabilities
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
BIND8: Multiple vulnerabilities
Comments (1 posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
cups - multiple vulnerabilities
Comments (none posted)
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs |
CVE #(s): | CAN-2003-0015
|
| Created: | January 20, 2003 |
Updated: | April 7, 2003 |
| Description: |
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to erratum packages which contain
patches to correct the double-free bug.
See also this CERT advisory |
| Alerts: |
|
Comments (none posted)
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 |
CVE #(s): | CAN-2003-0039
|
| Created: | January 28, 2003 |
Updated: | April 4, 2003 |
| Description: |
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already. |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
hypermail - buffer overflows
| Package(s): | hypermail |
CVE #(s): | CAN-2003-0057
|
| Created: | February 11, 2003 |
Updated: | February 27, 2003 |
| Description: |
Ulf Harnhammar discovered two problems in hypermail, a program to
create HTML archives of mailing lists.
An attacker could craft a long filename for an attachment that would
overflow two buffers when a certain option for interactive use was
given, opening the possibility to inject arbitrary code. This code
would then be executed under the user id hypermail runs as, mostly as
a local user. Automatic and silent use of hypermail does not seem to
be affected.
The CGI program mail, which is not installed by the Debian package,
does a reverse look-up of the user's IP number and copies the
resulting hostname into a fixed-size buffer. A specially crafted DNS
reply could overflow this buffer, opening the program to an exploit. |
| Alerts: |
|
Comments (none posted)
IM: creates temporary files insecurely
| Package(s): | im |
CVE #(s): | CAN-2002-1395
|
| Created: | December 3, 2002 |
Updated: | March 6, 2003 |
| Description: |
Tatsuya Kinoshita discovered that IM, which contains interface
commands and Perl libraries for E-mail and NetNews, creates temporary
files insecurely.
- The impwagent program creates a temporary directory in an insecure
manner in /tmp using predictable directory names without checking
the return code of mkdir, so it's possible to seize a permission
of the temporary directory by local access as another user.
- The immknmz program creates a temporary file in an insecure manner
in /tmp using a predictable filename, so an attacker with local
access can easily create and overwrite files as another user.
|
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
KDE - command parameter quoting problems
| Package(s): | kde |
CVE #(s): | CAN-2002-1393
|
| Created: | December 23, 2002 |
Updated: | February 21, 2003 |
| Description: |
In some instances, KDE (versions 2 and 3) fails to properly quote parameters of instructions
passed to a command shell for execution.
These parameters may incorporate data such as URLs, filenames and e-mail
addresses, and this data may be provided remotely to a victim in an e-mail,
a webpage or files on a network filesystem or other untrusted source.
By carefully crafting such data an attacker might be able to execute
arbitary commands on a vulnerable sytem using the victim's account and
privileges.
See this announcement for more details. |
| Alerts: |
|
Comments (none posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
krb5 - vulnerability in Kerberos ftp client
| Package(s): | krb5 ftp netkit |
CVE #(s): | CAN-2003-0041
|
| Created: | January 31, 2003 |
Updated: | February 21, 2003 |
| Description: |
Kerberos is a network authentication system.
A problem has been found in the Kerberos ftp client. When retrieving a
file with a filename beginning with a pipe character, the ftp client will
pass the filename to the command shell in a system() call. This could
allow a malicious ftp server to write to files outside of the current
directory or execute commands as the user running the ftp client.
The Kerberos ftp client runs as the default ftp client when the Kerberos
package krb5-workstation is installed on a Red Hat Linux distribution. |
| Alerts: |
|
Comments (none posted)
libmcrypt: buffer overflows and memory exhaustion
| Package(s): | libmcrypt |
CVE #(s): | CAN-2003-0031
CAN-2003-0032
|
| Created: | January 6, 2003 |
Updated: | February 27, 2003 |
| Description: |
libmcrypt versions prior to 2.5.5 contain a number of buffer overflow
vulnerabilities that stem from improper or lacking input validation. By
passing a longer than expected input to a number of functions (multiple
functions are affected) the user can successful make libmcrypt crash.
Another vulnerability is due to the way libmcrypt loads algorithms via
libtool. When the algorithms are loaded dynamically the each time the
algorithm is loaded a small (few kilobytes) of memory are leaked. In a
persistant enviroment (web server) this could lead to a memory exhaustion
attack that will exhaust all avaliable memory by launching repeated
requests at an application utilizing the mcrypt library. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
mod_dav: Apache mod_dav module format string vulnerability
| Package(s): | mod_dav |
CVE #(s): | |
| Created: | February 17, 2003 |
Updated: | February 19, 2003 |
| Description: |
The Apache mod_dav module contains a format string vulnerability in the
"ap_log_rerror()" function. |
| Alerts: |
(No alerts in the database for this vulnerability)
|
Comments (1 posted)
PHP Remote Compromise/DOS Vulnerability
| Package(s): | mod_php4 |
CVE #(s): | |
| Created: | July 22, 2002 |
Updated: | February 18, 2003 |
| Description: |
PHP 4.2.0 and 4.2.1 have an error in the handling of POST requests which
can lead to the corruption of memory, and the usual bad consequences. According to this alert, the vulnerability can only be used for denial of service on x86 systems - there is no way to get it to run exploit code. SPARC/Solaris systems are apparently vulnerable to full remote compromise.
According to the CERT Advisory,
almost every Linux distributor, it seems, ships older (and thus not vulnerable) versions of PHP.
Note that, sometimes, systems thought to be safe from remote compromise turn out to be vulnerable to a modified attack, so x86 users should not relax too much. The solution, for those systems with PHP
4.2.0 or 4.2.1 installed,
is to upgrade to PHP 4.2.2.
For more information see the alert from
the discover of the vulnerability, Stefan Esser of e-matters GmbH,
or the security
advisory from the php team.
CERT Advisory: CA-2002-21 Vulnerability in PHP |
| Alerts: |
|
Comments (1 posted)
mod_php - buffer overflow
| Package(s): | mod_php php |
CVE #(s): | CAN-2002-1396
|
| Created: | January 13, 2003 |
Updated: | February 20, 2003 |
| Description: |
The wordwrap() function on user-supplied input may allow a
specially-crafted input to overflow the allocated buffer and overwrite the
heap. There are no known exploits, but an exploit is theoretically possible.
Read the full advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=104102689503192&w=2 |
| Alerts: |
|
Comments (none posted)
Mozilla: Privacy leak and other vulnerabilities
| Package(s): | mozilla |
CVE #(s): | CAN-2002-1126
CAN-2002-1091
|
| Created: | November 1, 2002 |
Updated: | February 13, 2003 |
| Description: |
Mozilla 1.1 and earlier, and Mozilla-based browsers such as Netscape and
Galeon, set the document referrer too quickly in certain situations when a
new page is being loaded, which allows web pages to determine the next page
that is being visited, including manually entered URLs.
Netscape 6.2.3 and earlier, and Mozilla 1.0.1, allow remote attackers to
corrupt heap memory and execute arbitrary code via a GIF image with a zero
width.
See also Mozilla's
Recently fixed security issues page.
All users are encouraged to upgrade to this latest stable 1.0.x release of
Mozilla. |
| Alerts: |
|
Comments (none posted)
MySQL - double free vulnerability
| Package(s): | mysql |
CVE #(s): | CAN-2003-0073
|
| Created: | January 29, 2003 |
Updated: | February 21, 2003 |
| Description: |
MySQL 3.23.55 fixes a double-free vulnerability which allows a hostile
client to crash the server process. Logging into the server is necessary
before this vulnerability can be exploited. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
OpenLDAP2: remote command execution
| Package(s): | OpenLDAP2 |
CVE #(s): | CAN-2002-1378
CAN-2002-1379
|
| Created: | December 6, 2002 |
Updated: | February 21, 2003 |
| Description: |
OpenLDAP is the Open Source implementation of the Lightweight Directory
Access Protocol (LDAP) and is used in network environments for distributing
certain information such as X.509 certificates or login information.
The SuSE Security Team reviewed critical parts of that package and found
several buffer overflows and other bugs remote attackers could exploit to
gain access on systems running vulnerable LDAP servers. In addition to
these bugs, various local exploitable bugs within the OpenLDAP2 libraries
(openldap2-devel package) have been fixed.
Since there is no workaround possible except shutting down the LDAP server,
an update is strongly recommended. |
| Alerts: |
|
Comments (1 posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
slocate - buffer overflow
| Package(s): | slocate |
CVE #(s): | CAN-2003-0056
|
| Created: | February 5, 2003 |
Updated: | May 8, 2003 |
| Description: |
version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
|
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
