A quick look at Gentoo Linux
Your editor recently needed to set up a sacrificial box for testing out
code for the
driver porting
series. Installing a system like that is always a good opportunity to
try out a new distribution, so it seemed like the right time to try to get
a sense for what the
Gentoo hype is
about.
Little did he know that it would take a week just to get through the
installation process.
Gentoo seems to be positioning itself as a Debian for the real
hackers. So, for example, most of the distribution is built from source at
installation time. Why? So you can control the configuration and
optimization settings, of course. As a result, the process can take a while,
especially if the system you are installing is relatively old and slow.
But, in fact, it takes some time to get even that far. A look at the 1.4rc3
installation instructions is a sobering experience; it takes a while
just to read about all that must be done. You start with a bootable
CD image, of course, but then it's a matter of:
- Figuring out and loading whatever kernel modules are necessary to
make your system work.
- Configuring networking - perhaps by hand.
- Going into fdisk to set up partitions.
- Running variants of mkfs as many times as necessary
to create your filesystems - be sure to get the partition names
right.
- Mounting the filesystems by hand.
- Untarring an archive with the base system on it.
- Issuing a manual chroot command to move into the
under-construction system's filesystem.
- Running the nice emerge tool, which will bring
your base system up to date with the current packages.
- Editing /etc/make.conf to set options on how the
rest of the system will be built.
- Running emerge again to download and build the bulk
of the system. Good time to head out for coffee. Or, on slower
systems, a nice weekend.
- Choosing from a few kernel source distributions, and running
make menuconfig to configure it appropriately. Make sure you
set the important options correctly (for example, you need to enable
devfs) - the initial configuration does not do this.
And so on...you presumably get the point by now. Installing Gentoo is
essentially a process of assembling your desired system by hand.
For old-time Linux users, the experience is much like going about ten years
back in time, when Linux systems really were assembled by hand. At
least you don't need a big stack of diskettes anymore.
The interesting thing is that, once you're done, the result is a pretty
nice system. The right packages are there, the administration tools seem to
be well thought out (though things like the init script system take a
little getting used to), and the "portage" package system has many of the
same features that make Debian's "apt" so great. And, of course, you have
a system that is set up exactly how you directed it to be and optimized for
your processor.
For most users, though, the pain required to get there will probably not
prove to be worth it. Your editor is not a stranger to this mode of
operation, having been through experiences like converting systems
from a.out to ELF by hand. But, you know, that was a while ago; now I'm
more interested in having the system just work. And if I'm trying to set
up a dozen (or hundreds) of boxes, the Gentoo approach is simply out of the
question.
There is, of course, absolutely nothing wrong with Gentoo being what it
is. There are plenty of distributions out there for people who want to be
able to do an installation without thinking about it. Gentoo is aimed at a
different audience - those who want to get their hands quite dirty inside
their Linux systems. That is, of course, one of the great things about
Linux: you can get your hands as deeply into the system as you want. As
the commercial distributions get flashier and generally easier to work
with, the excitement and challenge of dealing with the system at the lowest
level recedes a bit. Gentoo is bringing that experience back to a new
generation of Linux users and hackers, and seems to be doing a very good
job of it.
Comments (19 posted)
OpenOffice.org's Community Council
[This article was contributed by Joe 'Zonker' Brockmeier]
OpenOffice.org has come a long way since it was officially rolled out in
October, 2000. The group has delivered a full-featured Open Source
office suite that is shaping up as a viable competitor to Microsoft
Office, at least in some markets.
The group is now looking to revamp its governing process. Until now,
decisions have mostly been made by votes on mailing lists or by the
project leads of the various projects that make up OpenOffice.org. Now
the group is trying to develop a Community Council.
The proposal
has been kicked around for some time, and is currently being voted on.
We talked to one of the originators of the proposal, Josh Berkus. Berkus
is a marketing volunteer for the OpenOffice.org project. According to
Berkus, the proposal has been making the rounds for about a year before
it got to the final draft that is now being voted on.
In general, he says the Council will be similar to a steering committee.
It will help set release dates, coordinate efforts between the
OpenOffice.org community and Sun Microsystems, and coordination between
specific projects in the project. Berkus also noted that the Community
Council will handle some member issues that the group was ill-suited to
handle in the past.
We had a problem with somebody who specifically needed to be expelled
from the project and blocked from rejoining...we didn't have any
structure in place with designated authority to kick this person out,
which is another thing we sort of need.
Another responsibility for the Council will be to assign resources if a
company or organization wants to donate developer time to the project,
without a specific feature or goal. Also, Berkus noted that the current
structure is not set up to handle donations of money. "The first task is
to come up with a legal structure that allows us to accept money."
Berkus wasn't sure if the the organization would be seeking non-profit
status or not.
The Council will consist of five project leads elected from the leads of
accepted projects, Lang (language) Representatives, a Community
Contributor Representative and a representative from Sun. The project
leads and language reps will have twelve-month terms, and the Community
Contributor will hold a six-month term. Sun's rep will be seated for
whatever term Sun chooses. The goal is also to stagger elections so only
half of the seats are up for election at one time.
When speaking to Berkus, he mentioned that having language group
representatives was particularly important. According to Berkus, it can
be extremely difficult for non-English speakers to participate in
discussion lists that are conducted in English and that being
effectively shut out of important lists can lead to misunderstandings
and communications issues. "Having them know they have a rep on the
Community Council and they have a voice, should do a lot to head off
that kind of a problem...they don't have to feel alienated."
One thing that is unusual about the Community Council, for an Open
Source project, is that some of the work will take place behind closed
doors. In fact, the Community Council members will have to sign confidential
disclosure agreements. Berkus explained that, from time to time, the
group would be discussing plans that relate to Sun's StarOffice strategy
and that it wouldn't be prudent to do that in the open where Microsoft
could oversee the StarOffice strategy and revise theirs to match.
Berkus said that the Community Council would not be likely to dictate
new features, though they could help coordinate non-technical members of
the Community with the technical teams that could implement new
features.
As far as new features go, we should be seeing some pretty soon.
According to the public roadmap, we should be seeing a public beta of
OpenOffice.org 1.1 as early as this month and a final release of 1.1
sometime in July. We all know, however, how changeable software release
dates are. From the roadmap and release notes for build 643,
OpenOffice.org 1.1 looks to be mostly improvements on existing features
and further refinement of the program in general. However, there are a
few noteable features that many users will find compelling.
At the top of the list is native PDF export capability. Filter support,
in general, is also slated to improve in 1.1, including new filters for
DocBook, XHTML and FlatXML. A full list of changes can be found on the
OpenOffice.org
site. Note that this list may be out of date, as it was last updated in
September; a few more improvements are listed on the
developer snapshot page.
Meanwhile, the first OpenOffice.org
conference is being held at the end of this week in Hamburg,
Germany. Expect more interesting news to emerge soon from this important
project which has only begun to shake up the desktop Linux landscape.
Comments (none posted)
Some security notes
This has not been the greatest week for Linux from the security point of
view. A new, remotely-exploitable hole in Samba threatens a great many
servers worldwide (though one can only hope that there aren't
that
many Samba servers directly exposed to the Internet); this vulnerability is
covered on
this week's security
page. There is also
the
ptrace vulnerability in 2.2 and 2.4 kernels. A local user, by
attaching to a kernel thread, can obtain root access. Most distributors
have patches out for both of these problems, and applying them would be a
good idea.
Given the distinctly unpleasant state of world affairs at the moment, now
is probably a good time for most of us to take a look at the state of our
security patches. The number of attacks can only increase over the next few
weeks, and some attackers may be even less discriminating than usual in
their choice of targets. Some time spent checking systems now could be
saved many times over in the near future.
Meanwhile, every so often, some company which is making good money selling
antivirus software to Windows users decides to try to convince people
running Linux that they, too, need that company's help. The latest entrant
is this press release from
Central Command. Their angle is that the increase in desktop Linux
deployments will translate into Virus problems: "A vast
majority of these new Linux users are unaware of the existence
of Linux-based viruses and security risks associated with
Linux..." OpenOffice is singled out for mention as a possible
means by which a Linux system could be infected.
Of course, a Linux-based virus is not an impossible thing. But a virus
running in the wild which bothers more than a very small number of people
remains quite unlikely. All of the usual reasons for this apply, but there
is one that stands out: Linux developers do not like the idea of strangers
running arbitrary code on their systems. So they tend not to write code
which provides that capability, and, when somebody figures out how to run
something anyway, the problem gets fixed. Quickly. If the original
developer won't fix the problem, somebody else will. Quickly. Linux users
need not wait until their vendor figures out that letting others run code
on their computers is a bad idea.
So, while we need to pay careful attention to the security of our systems,
we need not accept the claims of companies trying to sell us antivirus
products. Keeping systems secure is a matter of careful administration and
staying on top of patches; there is no time, or need, to be distracted by
companies selling solutions for problems we do not have.
Comments (none posted)
Page editor: Jonathan Corbet
Security
Security news
The Samba Vulnerability
[This article was contributed by Tom Owen]
Samba.org's
announcement of 2.2.8
last week had a eerie familiarity.
Here's a release prompted by heap overflow in a major open source server
component.
A fortnight ago
it was sendmail
-- this time it's Samba, the free SMB/CIFS
server.
The vulnerability was spotted by the reliably hard-nosed security team at SuSE.
Samba team members say there's a risk of remote root compromise;
all sites are urged to plan an urgent upgrade.
The LWN
vulnerability entry
has links to distributions' patches, and the new version 2.2.8 which
contains the fix.
The vulnerability dates back to 2.0.x, which is over four years old.
This is the Samba version which introduced domain logon for
Windows NT clients.
If your server has been updated since 1999,
or looks like a domain controller for NT clients then it is vulnerable.
The vulnerability is described as a buffer overflow in smbd's
message fragment assembly code.
Any exploit would send crafted SMB fragments to TCP port 139.
Also fixed in the new release is
a locally exploitable
race condition.
Even in a tightly-run site, this vulnerability is a serious threat,
potentially allowing root access to local users.
What gets plain scary is that there are sites which expose SMB to the Internet.
This can't ever be the right thing to do whether the server is Samba or Windows.
The problem is not the servers but the protocol.
The MS network neighbourhood browser can be easy to use but the price is that
anyone can
connect to a server and list users, servers and shares --
perfect background for social hacking,
and an easy route to find any share which, by error or design, has less than
perfect security settings.
Security is easier to control down with Samba than Windows,but it is best
simply not to expose it to the net at all.
The
announcement
goes into detail on the precautions any Samba site should be taking.
They have little to do with the vulnerability -- they don't protect against a
local attack --
and every site ought to be doing them anyway.
The first step is to make sure that ports for SMB and WINS are blocked at the
Internet gateway.
This risk is so well understood that many cheap routers include a
standardised filter set
(typically called something like NETBIOS)
to block ports 137, 138 and 139.
This is good as far as it goes, but Microsoft is moving away from these ports.
More recent Microsoft servers offer SMB directly on TCP at port 445,
so this is one more
port to block.
Samba 2.2 doesn't use 445 but the upcoming 3.0 will.
Samba's daemons are not normally run under inetd.conf and so
can't be protected by TCP wrappers.
The announcement shows how to use smb.conf directives to get similar
control:
One of the simplest fixes in this case is to use the 'hosts allow' and
'hosts deny' options
in the Samba smb.conf configuration file to only allow access to your
server
from a specific range of hosts.
An example might be:
hosts allow = 127.0.0.1 192.168.2.0/24 192.168.3.0/24
hosts deny = 0.0.0.0/0
The above will only allow SMB connections from 'localhost'
(your own computer)
and from the two private networks 192.168.2 and 192.168.3.
All other connections will be refused connections as soon as the client
sends its first packet.
The refusal will be marked as a 'not listening on called name' error.
It seems rash to put a file server on to your Internet gateway, but
a lot of home and small business hosts are setup that way.
These sites can control their exposure with 'interfaces=' and
'bind interfaces only = yes' but a cheap basic filtering router is
probably a better
plan.
Samba servers have one extra risk not shared by Windows servers.
The Samba Web Administration Tool (SWAT) runs under inetd,
normally via
TCP wrappers.
Care is needed in inetd.conf and hosts.allow to restrict access to SWAT
to the local network,
and not on the Internet.
Alternatively,
there are
instructions
on how to offer SWAT over SSL.
One way this Samba vulnerability stands out from Sendmail earlier this month
is that it's a bit of surprise.
Despite Samba's long history and wide use, it has shown few vulnerabilities
which are not a consequence of the SMB protocol.
The other way is that malicious exploits appear to have been tested or used
before the announcement.
SuSE saw anomalous crashes in one of their public servers.
Analysis of the logs was enough to persuade the Samba team to bring 2.2.8
release forward --
a truly alarming response.
Site administrators should act soon, first to make sure that their SMB is
not visible
on the Internet,
and then to upgrade Samba to 2.2.8.
(Thanks to Jeremy Allison for assistance with this article).
Comments (2 posted)
March CRYPTO-GRAM newsletter
Bruce Schneier's CRYPTO-GRAM newsletter for March is out. It looks at
Practical Cryptography (a new book he co-authored with Niels
Ferguson), the defeat of the SSL patent, and the SSL vulnerability.
"
By now it
should be obvious that hackers don't steal credit card numbers one by
one across the network; they steal them in bulk -- by the thousands or
even millions -- by breaking into poorly protected networks. Many
smaller e-commerce sites don't use SSL to protect their credit card
transactions, and even there this kind of attack simply doesn't
happen."
Full Story (comments: 3)
New vulnerabilities
kernel - ptrace-related vulnerability
| Package(s): | kernel |
CVE #(s): | CAN-2003-0127
|
| Created: | March 17, 2003 |
Updated: | June 30, 2003 |
| Description: |
Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in
ptrace() which may be exploited by a local user to obtain root
access. This announcement contains the
details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released
which contains the fix. |
| Alerts: |
|
Comments (none posted)
lprold - buffer overflow in lprm
| Package(s): | lprold lpd |
CVE #(s): | CAN-2003-0144
|
| Created: | March 13, 2003 |
Updated: | May 28, 2003 |
| Description: |
The lprm command of the printing package lprold contains a buffer
overflow. This buffer overflow can be exploited by a local user, if the
printer system is set up correctly, to gain root privileges. |
| Alerts: |
|
Comments (none posted)
lxr - input validation error
| Package(s): | lxr |
CVE #(s): | |
| Created: | March 19, 2003 |
Updated: | March 19, 2003 |
| Description: |
lxr fails to properly sanitize incoming filenames, with the result that an attacker can read arbitrary files on the system. |
| Alerts: |
|
Comments (none posted)
man - code execution vulnerability
| Package(s): | man |
CVE #(s): | CAN-2003-0124
|
| Created: | March 19, 2003 |
Updated: | May 7, 2003 |
| Description: |
Versions of man prior to 1.51 contain a code execution vulnerability which can be exploited by a carefully crafted man file. See this advisory for the details. |
| Alerts: |
|
Comments (none posted)
mysql - configuration file vulnerability
| Package(s): | mysql mysqld |
CVE #(s): | CAN-2003-0150
|
| Created: | March 18, 2003 |
Updated: | May 16, 2003 |
| Description: |
According to a
report on BugTraq, a vulnerability exists in
version 3.23.55 and earlier versions of the MySQL server. If the MySQL server is
launched by root, as it is often done by system startup scripts, any
database users with the "FILE" privilege can write a configuration file
(usually my.cnf) that causes the MySQL server to run under an arbitrary
user id, including the user id of the super-user, on the next restart. |
| Alerts: |
|
Comments (none posted)
NetPBM: math overflow errors
| Package(s): | NetPBM |
CVE #(s): | CAN-2003-0146
|
| Created: | March 17, 2003 |
Updated: | May 27, 2003 |
| Description: |
Al Viro and Alan Cox discovered several maths overflow errors in
NetPBM, a set of graphics conversion tools. These programs are not
installed setuid root but are often installed to prepare data for
processing. These vulnerabilities may allow remote attackers to cause
a denial of service or execute arbitrary code. |
| Alerts: |
|
Comments (none posted)
openssl: local and remote extraction of RSA private key
| Package(s): | openssl, apache, mod_ssl |
CVE #(s): | CAN-2003-0147
|
| Created: | March 18, 2003 |
Updated: | May 22, 2003 |
| Description: |
David Brumley and Dan Boneh of Stanford University have researched and
documented a timing attack on OpenSSL which allows local and remote
attackers to extract the RSA private key of a server. The OpenSSL RSA
implementation is generally vulnerable to these type of attacks unless RSA
blinding has been turned on. See this
paper (pdf format) for additional details.
Typically, RSA blinding is not enabled by OpenSSL based applications,
mainly because it is not obvious how to do so when using OpenSSL to provide
SSL/TLS. This problem affects mostly all applications using OpenSSL and
have to be rebuilded against the fixed OpenSSL version (where RSA blinding
is now enabled by default) or have to enable RSA blinding explicitly their
own.
The performance impact of RSA blinding appears to be small (a few percent
only) and the RSA functionality is still fully compatible. The Common
Vulnerabilities and Exposures (CVE) project assigned the id
CAN-2003-0147 to the problem. |
| Alerts: |
|
Comments (none posted)
rxvt - vulnerabilities in the handling of escape sequences
| Package(s): | rxvt |
CVE #(s): | CAN-2003-0022
CAN-2003-0023
CAN-2003-0066
|
| Created: | March 17, 2003 |
Updated: | March 26, 2003 |
| Description: |
Rxvt is a color VT102 terminal emulator for the X Window System. A number
of issues have been found in the escape sequence handling of Rxvt.
These could be potentially exploited if an attacker can cause carefully
crafted escape sequences to be displayed on a rxvt terminal being used by
their victim.
One of the features which most terminal emulators support is the ability
for the shell to set the title of the window using an escape sequence.
Certain xterm variants, including rxvt, also provide an escape sequence for
reporting the current window title. This essentially takes the current
title and places it directly on the command line. Since it is not
possible to embed a carriage return into the window title itself, the
attacker would have to convince the victim to hit enter for it to process
the title as a command, although the attacker can perform a number of
actions to increase the likelyhood of this happening.
The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite
arbitrary files via a certain character escape sequence when it is echoed
to a user's terminal, e.g. when the user views a file containing the
malicious sequence.
The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options
and execute arbitrary commands via a certain character escape sequence that
inserts the commands into the menu.
Users of Rxvt are advised to upgrade to these errata packages which contain
a patch to disable the title reporting functionality and patches to correct
the other issues. |
| Alerts: |
|
Comments (none posted)
samba - exploitable buffer overruns
| Package(s): | samba |
CVE #(s): | CAN-2003-0085
CAN-2003-0086
|
| Created: | March 17, 2003 |
Updated: | April 4, 2003 |
| Description: |
The SuSE security audit team, in particular Sebastian Krahmer has found a
flaw in the Samba main smbd code which could allow an external attacker to
remotely and anonymously gain Super User (root) privileges on a server
running a Samba server.
This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a
inclusive. This is a serious problem and all sites should either
upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139
and 445. Advice created by Andrew Tridgell, the leader of the Samba
Team, on how to protect an unpatched Samba server is given at the end
of this section.
The SMB/CIFS protocol implemented by Samba is vulnerable to many
attacks, even without specific security holes. The TCP ports 139 and
the new port 445 (used by Win2k and the Samba 3.0 alpha code in
particular) should never be exposed to untrusted networks.
See this article for more information. Samba-TNG users should update to version 0.3.1. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apcupsd - remote root vulnerability and buffer overflows
| Package(s): | apcupsd |
CVE #(s): | CAN-2003-0098
CAN-2003-0099
|
| Created: | February 24, 2003 |
Updated: | April 3, 2003 |
| Description: |
From the MandrakeSoft
advisory:
A remote root vulnerability in slave setups and some buffer overflows in
the network information server code were discovered by the apcupsd
developers. They have been fixed in the latest unstable version, 3.10.5
which contains additional enhancements like USB support, and the latest
stable version, 3.8.6.
There are a few changes that need to be noted, such as the port has changed
from port 7000 to post 3551 for NIS, and the new config only allows access
from the localhost. Users may need to modify their configuration files
appropriately, depending upon their configuration. |
| Alerts: |
|
Comments (none posted)
Heap corruption vulnerability in at
| Package(s): | at at, sudo, xchat |
CVE #(s): | CAN-2002-0004
|
| Created: | May 20, 2002 |
Updated: | May 15, 2003 |
| Description: |
The at command has a
potentially exploitable heap corruption bug.
(First LWN report: January 17th).
|
| Alerts: |
|
Comments (none posted)
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc |
CVE #(s): | CAN-2002-0651
CAN-2002-0684
|
| Created: | July 8, 2002 |
Updated: | September 30, 2003 |
| Description: |
The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable.
Similar code, without Olaf Firch's fixes,
is in the glibc getnetbyXXX functions.
These functions are described in the SuSE alert as
"
used by very few applications only, such as ifconfig and ifuser,
which makes exploits less likely."
CERT Advisory: CA-2002-19
Buffer Overflow in Multiple DNS Resolver Libraries
CAN-2002-0651
CAN-2002-0684 |
| Alerts: |
|
Comments (1 posted)
BitchX - denial of service
| Package(s): | BitchX |
CVE #(s): | |
| Created: | February 20, 2003 |
Updated: | May 26, 2003 |
| Description: |
From this Bugtraq posting:
A denial of service vulnerability exists in BitchX. Sending a malformed
RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was
reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are
unaware of any patches or workarounds provided by panasync and or any
members of #bitchx |
| Alerts: |
|
Comments (none posted)
Canna server: exploitable buffer overrun
| Package(s): | canna |
CVE #(s): | CAN-2002-1158
CAN-2002-1159
|
| Created: | December 10, 2002 |
Updated: | September 30, 2003 |
| Description: |
Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2
allows a local user to gain the privileges of the user 'bin' which could
lead to further exploits. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.
A lack of validation of requests has been found that affects Canna version
3.6 and earlier. A malicious remote user could exploit this vulnerability
to leak information, or cause a denial of service attack. (CAN-2002-1159)
See also
http://canna.sourceforge.jp/sec/Canna-2002-01.txt
CAN-2002-1158
CAN-2002-1159 |
| Alerts: |
|
Comments (none posted)
CVS - exploitable double-free bug in the CVS server
| Package(s): | cvs |
CVE #(s): | CAN-2003-0015
|
| Created: | January 20, 2003 |
Updated: | April 7, 2003 |
| Description: |
CVS is a version control system frequently used to manage source code
repositories. During an audit of the CVS sources, Stefan Esser
discovered an exploitable double-free bug in the CVS server.
On servers which are configured to allow anonymous read-only access, this
bug could be used by anonymous users to gain write privileges. Users with
CVS write privileges can then use the Update-prog and Checkin-prog features
to execute arbitrary commands on the server.
All users of CVS are advised to upgrade to erratum packages which contain
patches to correct the double-free bug.
See also this CERT advisory |
| Alerts: |
|
Comments (none posted)
dhcp3 - ignored counter boundary
| Package(s): | dhcp3 |
CVE #(s): | CAN-2003-0039
|
| Created: | January 28, 2003 |
Updated: | April 4, 2003 |
| Description: |
Florian Lohoff discovered a bug in the dhcrelay causing it to send a
continuing packet storm towards the configured DHCP server(s) in case
of a malicious BOOTP packet, such as sent from buggy Cisco switches.
When the dhcp-relay receives a BOOTP request it forwards the request
to the DHCP server using the broadcast MAC address ff:ff:ff:ff:ff:ff
which causes the network interface to reflect the packet back into the
socket. To prevent loops the dhcrelay checks whether the
relay-address is its own, in which case the packet would be dropped.
In combination with a missing upper boundary for the hop counter an
attacker can force the dhcp-relay to send a continuing packet storm
towards the configured dhcp server(s).
This patch introduces a new commandline switch ``-c maxcount'' and
people are advised to start the dhcp-relay with ``dhcrelay -c 10''
or a smaller number, which will only create that many packets.
The dhcrelay program from the ``dhcp'' package does not seem to be
affected since DHCP packets are dropped if they were apparently
relayed already. |
| Alerts: |
|
Comments (none posted)
dvips: command execution vulnerability
| Package(s): | dvips |
CVE #(s): | CAN-2002-0836
|
| Created: | October 16, 2002 |
Updated: | June 10, 2003 |
| Description: |
The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. |
| Alerts: |
|
Comments (none posted)
ethereal - format string vulnerability
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0081
|
| Created: | March 10, 2003 |
Updated: | June 12, 2003 |
| Description: |
The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string
overflow. This vulnerability has been present in Ethereal since the SOCKS
dissector was introduced in version 0.8.7. It was discovered by Georgi
Guninski. Additionally, the NTLMSSP code is susceptible to a heap
overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade.
See the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail: buffer overflow
| Package(s): | fetchmail |
CVE #(s): | CAN-2002-1365
|
| Created: | December 17, 2002 |
Updated: | October 20, 2003 |
| Description: |
Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. |
| Alerts: |
|
Comments (3 posted)
file - memory allocation problem, stack overflow
| Package(s): | file |
CVE #(s): | CAN-2003-0102
|
| Created: | March 4, 2003 |
Updated: | June 4, 2003 |
| Description: |
Jeff Johnson found a memory allocation problem and David Endler found a
stack overflow corruption problem in the file "Automatic File Content
Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section
and program header handling in file version 3.40. The folks at OpenPKG
believe that file versions without those modifications are vulnerable to
memory allocation and stack overflow problems which put security at risk. |
| Alerts: |
|
Comments (none posted)
GNU fileutils race condition
| Package(s): | fileutils ucdsnmp |
CVE #(s): | CAN-2002-0435
|
| Created: | May 20, 2002 |
Updated: | May 16, 2003 |
| Description: |
A race
condition in rm may cause the root user to delete the whole filesystem.
The problem exists in the version of rm in
fileutils
4.1 stable and 4.1.6 development version. A patch
is available.
(First LWN
report: May 2).
|
| Alerts: |
|
Comments (none posted)
Potential remote root exploit in glibc
| Package(s): | glibc |
CVE #(s): | CAN-2002-0391
|
| Created: | August 14, 2002 |
Updated: | June 29, 2003 |
| Description: |
Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer
overflow in xdr_array() function when deserializing the XDR stream
|
| Alerts: |
|
Comments (none posted)
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc |
CVE #(s): | CAN-2002-1146
|
| Created: | November 7, 2002 |
Updated: | February 5, 2004 |
| Description: |
DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such
as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer
size instead of the actual size when processing a DNS response, which
causes the stub resolvers to read past the actual boundary ("read buffer
overflow"), allowing remote attackers to cause a denial of service
(crash).
|
| Alerts: |
|
Comments (none posted)
IMP - SQL injection vulnerability
| Package(s): | imp |
CVE #(s): | CAN-2003-0025
|
| Created: | January 15, 2003 |
Updated: | July 8, 2003 |
| Description: |
The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL
injection; see this advisory for details.
Version 3.x is not vulnerable to this problem. |
| Alerts: |
|
Comments (1 posted)
kdelibs: Vulnerabilities in KIO subsystem support
| Package(s): | kdelibs |
CVE #(s): | CAN-2002-1281
CAN-2002-1282
|
| Created: | November 22, 2002 |
Updated: | March 14, 2003 |
| Description: |
Vulnerabilities were discovered in the KIO subsystem support for various
network protocols. The implementation of the rlogin protocol affects all
KDE versions from 2.1 up to 3.0.4, while the flawed implementation of the
telnet protocol only affects KDE 2.x. They allow a carefully crafted URL
in an HTML page, HTML email, or other KIO-enabled application to execute
arbitrary commands as the victim with their privilege.
The KDE team provided a patch for KDE3 which has been applied in these
packages. No patch was provided for KDE2, however the KDE team recommends
disabling both the rlogin and telnet KIO protocols. This can be
accomplished by removing, as root, the following files:
/usr/share/services/telnet.protocol and
/usr/share/services/rlogin.protocol.
If either file also exists in a user's ~/.kde/share/services directory,
they should likewise be removed.
See also:
http://www.kde.org/info/security/advisory-20021111-1.txt |
| Alerts: |
|
Comments (none posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
lynx: CRLF injection vulnerability
| Package(s): | lynx |
CVE #(s): | CAN-2002-1405
|
| Created: | November 19, 2002 |
Updated: | September 30, 2003 |
| Description: |
If lynx is given a url with some special characters on the command line, it
will include faked headers in the HTTP query. This feature can be used to
force scripts (that use Lynx for downloading files) to access the wrong
site on a web server with multiple virtual hosts.
CAN-2002-1405 |
| Alerts: |
|
Comments (none posted)
perl-MailTools: remote command execution
| Package(s): | MailTools |
CVE #(s): | CAN-2002-1271
|
| Created: | November 5, 2002 |
Updated: | September 19, 2003 |
| Description: |
The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.
|
| Alerts: |
|
Comments (none posted)
micq: Denial of service
| Package(s): | micq |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 24, 2003 |
| Description: |
Rüdiger Kuhlmann, upstream developer of mICQ, a text based ICQ client,
discovered a problem in mICQ. Receiving certain ICQ message types
that do not contain the required 0xFE seperator causes all versions to
crash. |
| Alerts: |
|
Comments (none posted)
MySQL: multiple vulnerabilities
| Package(s): | mysql |
CVE #(s): | |
| Created: | December 13, 2002 |
Updated: | April 10, 2003 |
| Description: |
The MySQL database server has several buffer overflow and integer bounds checking vulnerabilities which can lead to denial of service attacks, and, possibily, remote code execution. See this e-matters advisory for details. Version 3.23.54 fixes the problems. |
| Alerts: |
|
Comments (none posted)
mysqlcc - world readable file permissions
| Package(s): | mysqlcc |
CVE #(s): | |
| Created: | March 7, 2003 |
Updated: | March 12, 2003 |
| Description: |
Gentoo reports that versions of mysqlcc prior to 0.8.9 had all
configuration and connection files world readable. |
| Alerts: |
|
Comments (none posted)
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye |
CVE #(s): | CAN-2003-0358
CAN-2003-0359
|
| Created: | February 18, 2003 |
Updated: | July 15, 2003 |
| Description: |
Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details.
Note that falconseye does not contain the file permission error
CAN-2003-0359 which affected some other nethack packages. |
| Alerts: |
|
Comments (none posted)
netscape-flash: buffer overflow
| Package(s): | netscape-flash |
CVE #(s): | |
| Created: | March 10, 2003 |
Updated: | June 20, 2003 |
| Description: |
Potentially exploitable buffer overflows exist in the Macromedia Flash
Player. The full advisory is here.
"The cumulative security patch is available today and addresses the
potential for exploits surrounding buffer overflows (read/write) and
sandbox integrity within the player, which might allow malicious users to
gain access to a user's computer. The possibility of running native code on
a users machine is a theoretical exploit, and extremely difficult to
execute in practice. There are no known examples of running such native
code from Macromedia Flash movies; however, even though this issue is
difficult and theoretical in nature only, we are encouraging users to
upgrade." |
| Alerts: |
|
Comments (none posted)
net-snmp: denial of service vulnerability
| Package(s): | net-snmp |
CVE #(s): | CAN-2002-1170
|
| Created: | December 17, 2002 |
Updated: | November 7, 2003 |
| Description: |
The SNMP daemon included in the Net-SNMP package versions 5.0.1 through
5.0.4 can be caused to crash if it is sent a specially crafted packet. |
| Alerts: |
|
Comments (none posted)
pam_xauth: root exploit
| Package(s): | pam_xauth |
CVE #(s): | CAN-2002-1160
|
| Created: | February 13, 2003 |
Updated: | July 10, 2003 |
| Description: |
The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat
Linux since version 7.1 would forward authorization information from the
root account to unprivileged users. This could be used by a local attacker
to gain access to an administrator's X session. In order to exploit this
vulnerability, the attacker would have to get the administrator, as root,
to use su to the account belonging to the attacker. |
| Alerts: |
|
Comments (none posted)
PHP: vulnerability in mail function
| Package(s): | php |
CVE #(s): | CAN-2002-0985
CAN-2002-0986
|
| Created: | November 13, 2002 |
Updated: | September 30, 2003 |
| Description: |
Two vulnerabilities exists in the mail() PHP function. The first one allows
the execution of any program/script bypassing safe_mode restriction, the
second one may give an open-relay script if the mail() function is not
carefully used in PHP scripts. See this Bugtraq
report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0.
CAN-2002-0985
CAN-2002-0986 |
| Alerts: |
|
Comments (none posted)
PostgreSQL - more buffer overflows
| Package(s): | postgresql |
CVE #(s): | |
| Created: | February 12, 2003 |
Updated: | November 7, 2003 |
| Description: |
A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. |
| Alerts: |
|
Comments (1 posted)
Local arbitrary code execution vulnerability in Python
| Package(s): | python |
CVE #(s): | CAN-2002-1119
|
| Created: | August 28, 2002 |
Updated: | September 30, 2003 |
| Description: |
Zack Weinberg discovered that
os._execvpe from os.py uses a predictable name which could lead
to execution of arbitrary code. According to the Debian
advisory, the problem
was present in Python versions 1.5, 2.1 and 2.2.
CAN-2002-1119 |
| Alerts: |
|
Comments (none posted)
qpopper - buffer overflow
| Package(s): | qpopper |
CVE #(s): | CAN-2003-0143
|
| Created: | March 12, 2003 |
Updated: | March 21, 2003 |
| Description: |
As reported in this advisory, qpopper 4.0.x
contains a buffer overflow vulnerability which may be exploited remotely -
but only by an attacker possessing a valid username and password. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
slocate - buffer overflow
| Package(s): | slocate |
CVE #(s): | CAN-2003-0056
|
| Created: | February 5, 2003 |
Updated: | May 8, 2003 |
| Description: |
version 2.6 (at least) of slocate contains a buffer overflow vulnerability which could lead to a local exploit; see this advisory for the details.
|
| Alerts: |
|
