Security

Vulnerabilities have been found in the way mod_auth_any escapes shell arguments when calling external programs. These vulnerabilities allow remote attackers to run arbitrary commands as the user under which the Web server is running.

Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely."

CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries

CAN-2002-0651
CAN-2002-0684

A denial of service vulnerability exists in BitchX. Sending a malformed RPL_NAMREPLY numeric 353 causes BitchX to segfault. This problem was reported to panasync@efnet#bitchx on Jan 30 2003, as of this writing we are unaware of any patches or workarounds provided by panasync and or any members of #bitchx

A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue.

A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159)

See also http://canna.sourceforge.jp/sec/Canna-2002-01.txt

CAN-2002-1158
CAN-2002-1159

Ximian Evolution is a personal and workgroup information management solution for Linux and UNIX-based systems. The software integrates email, calendaring, meeting scheduling, contact management, and task lists, in one application.

Updating as soon as practical is a good idea.

CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream

The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash).

GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash.

KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files.

An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled.

An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means.

OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is also vulnerable.

The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode.

All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root.

Alternatively, as a work-around to this vulnerability issue the following command as root:

chmod -s /usr/bin/uml_net

CAN-2002-1405

Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags.

mgetty can be configured to run an external program to decide whether or not to answer an incoming call based on Caller ID information. Unpatched versions of mgetty prior to 1.1.29 would overflow an internal buffer if the caller name reported by the modem was too long.

Additionally, the faxspool script supplied with versions of mgetty prior to 1.1.29 used a simple permissions scheme to allow or deny fax transmission privileges. This scheme was easily circumvented because the spooling directory used for outgoing faxes was world-writable.

Read the the full advisory for the details.

Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages.

Typically, RSA blinding is not enabled by OpenSSL based applications, mainly because it is not obvious how to do so when using OpenSSL to provide SSL/TLS. This problem affects mostly all applications using OpenSSL and have to be rebuilded against the fixed OpenSSL version (where RSA blinding is now enabled by default) or have to enable RSA blinding explicitly their own.

The performance impact of RSA blinding appears to be small (a few percent only) and the RSA functionality is still fully compatible. The Common Vulnerabilities and Exposures (CVE) project assigned the id CAN-2003-0147 to the problem.

Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker.

CAN-2002-0985
CAN-2002-0986

CAN-2002-1119

Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and earlier allow remote attackers to execute script as other Web users via mailbox displays, message displays, or search results displays. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0160 to these issues.

All users are advised to upgrade to these errata packages containing SquirrelMail version 1.2.11, which is not vulnerable to these issues.

In addition to the above problem the tcpdump developers discovered a potential infinite loop when parsing malformed BGP packets. They also discovered a buffer overflow that can be exploited with certain malformed NFS packets.

See CERT VU#464113 and this BugTraq post for more information.

Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page.

The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator. This could allow an attacker to be able to more easily guess the authentication cookie.

The VNC DES authentication scheme is implemented using a challenge-response architecture, producing a random and different challenge for each authentication attempt. A bug in the function for generating the random challenge caused the random seed to get reset to the current time on every authentication attempt. Therefore, two authentication attempts within the same second could receive the same challenge. An eavesdropper could exploit this vulnerability by replaying the response, thereby gaining authentication.

All users of VNC are advised to upgrade to these erratum packages, which contain patches to correct these issues.

FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3).

If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine.

See also this Bugtraq article from 1997.

CAN-2002-1344

Many Linux systems do not run libgtop by default, but applying the update is a good idea anyway.

CAN-2002-0818