LWN Weekly Edition
Front pageSecurity
Kernel development
Distributions
Development
Linux in the news
Announcements
Letters to the editor
->One big page
This page
Previous weekFollowing week
| Weekly edition | Kernel | Security | Distributions | Search |
| Archives | Calendar | Subscribe | Write for LWN | LWN.net FAQ |
Security
Security news
Some interesting publicity
For today's amusement, let's look at this TechWeb article on patch management. In the middle of the article one finds:
The first claim - that a given Linux server gets more updates than a given Windows server - could at least be verified. Whether the figure means anything is another story. Updates to a Linux system cover the vast array of packages available there. Many of them result from active code audits and fix obscure problems that are difficult to exploit. Of the large number of security problems fixed by Linux distributors each year, it is a good bet that most of them are never exploited to compromise even a single system. How many systems have you encountered that are threatened by any of these recently-patched problems?
- The Hangul Terminal
vulnerability ("Since it is not possible to embed a carriage
return into the window title the attacker would then have to convince
the victim to press 'Enter' for it to process the title as a
command...")
- Insecure temporary files in
gzip. It is a local vulnerability, but the chances of it
being used are very small.
- The file vulnerability, which requires an attacker to convince the system administrator to run "file" on a specially-crafted file.
...and so on. It is good that these problems are being fixed, but they do not threaten most users. The updates to that Windows system, instead, are far more likely to be addressing serious vulnerabilities that are being actively exploited.
The second claim in the TechWeb article ("many of the attacks aimed at Windows vulnerabilities are written by Linux experts") requires a response. How, exactly, did they come by this information? It is, after all, rare for authors of malware to include their resumes with the code. This statement is pure slander which has been reported as fact. One can only hope that a correction will be forthcoming.
New vulnerabilities
atftp: buffer overflow
| Package(s): | atftp | CVE #(s): | CAN-2003-0380 | ||||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | ||||||
| Description: | Rick Patel discovered that atftpd is vulnerable to a buffer overflow when a long filename is sent to the server. An attacker could exploit this bug remotely to execute arbitrary code on the server. Read the full advisory for more information. | ||||||||
| Alerts: |
| ||||||||
eterm: buffer overflow
| Package(s): | eterm | CVE #(s): | |||||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | ||||||
| Description: | "bazarr" discovered that eterm is vulnerable to a buffer overflow of the ETERMPATH environment variable. This bug can be exploited to gain the privileges of the group "utmp" on a system where eterm is installed. | ||||||||
| Alerts: |
| ||||||||
gzip: insecure temporary files
| Package(s): | gzip | CVE #(s): | CVE-1999-1332 CAN-2003-0367 | ||||||||||||
| Created: | June 9, 2003 | Updated: | June 16, 2003 | ||||||||||||
| Description: | Paul Szabo discovered that znew, a script included in the gzip
package, creates its temporary files without taking precautions to
avoid a symlink attack (CAN-2003-0367).
The gzexe script has a similar vulnerability which was patched in an earlier release but inadvertently reverted. | ||||||||||||||
| Alerts: |
| ||||||||||||||
hanterm: two vulnerabilities in Hangul Terminal
| Package(s): | hanterm | CVE #(s): | CAN-2003-0077 CAN-2003-0079 | ||||||
| Created: | June 6, 2003 | Updated: | June 11, 2003 | ||||||
| Description: | Hangul Terminal is a terminal emulator for the X Window System, based on Xterm.
Hangul Terminal provides an escape sequence for reporting the current window title, which essentially takes the current title and places it directly on the command line. An attacker can craft an escape sequence that sets the window title of a victim using Hangul Terminal to an arbitrary command and then report it to the command line. Since it is not possible to embed a carriage return into the window title the attacker would then have to convince the victim to press Enter for it to process the title as a command, although the attacker could craft other escape sequences that might convince the victim to do so. In addition, it is possible to lock up Hangul Terminal before version 2.0.5 by sending an invalid DEC UDK escape sequence. | ||||||||
| Alerts: |
| ||||||||
KDE: vulnerability in SSL implementation
| Package(s): | KDE | CVE #(s): | CAN-2003-0370 | |||
| Created: | June 6, 2003 | Updated: | June 11, 2003 | |||
| Description: | KDE versions 2.2.2 and earlier have a vulnerability in their SSL implementation that makes it possible for users of Konqueror and other SSL enabled KDE software to fall victim to a man-in-the-middle attack. | |||||
| Alerts: |
| |||||
mod_php: integer overflow
| Package(s): | mod_php php | CVE #(s): | ||||
| Created: | June 9, 2003 | Updated: | June 12, 2003 | |||
| Description: | The PHP emalloc() function implements the error safe wrapper around
malloc(). Unfortunately this function suffers from an integer overflow and
considering the fact that emalloc() is used in many places around PHP
source code, it may lead to many serious security issues. Read the full
advisory.
The function str_repeat(string input, int multiplier) returns input repeated multiplier times. The implementation of this function suffers from a simple integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory. The function array_pad(array input, int pad_size, mixed pad_value) returns a copy of the input padded to size specified by pad_size with pad_value. Unfortunately the implementation of this function suffers from an integer overflow caused by a very long second argument and could allow a local/remote attacker in the worst case to gain control over the web server. Read the full advisory. | |||||
| Alerts: |
| |||||
XaoS: improper setuid-root execution
| Package(s): | xaos | CVE #(s): | ||||
| Created: | June 9, 2003 | Updated: | June 11, 2003 | |||
| Description: | XaoS, a program for displaying fractal images, is installed setuid root on certain architectures in order to use svgalib, which requires access to the video hardware. However, it is not designed for secure setuid execution, and can be exploited to gain root privileges. | |||||
| Alerts: |
| |||||
Updated vulnerabilities
LPRng: insecure temporary file
| Package(s): | LPRng | CVE #(s): | CAN-2003-0136 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | Karol Lewandowski discovered that psbanner, a printer filter that creates a PostScript format banner and is part of LPRng, insecurely creates a temporary file for debugging purpose when it is configured as filter. The program does not check whether this file already exists or is linked to another place writes its current environment and called arguments to the file unconditionally with the user id daemon. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
perl-MailTools: remote command execution
| Package(s): | MailTools | CVE #(s): | CAN-2002-1271 | |||||||||||||||
| Created: | November 5, 2002 | Updated: | September 19, 2003 | |||||||||||||||
| Description: | The SuSE Security Team reviewed critical Perl modules, including the
Mail::Mailer package. This package contains a security hole which allows
remote attackers to execute arbitrary commands in certain circumstances.
This is due to the usage of mailx as default mailer which allows commands
to be embedded in the mail body.
Note that mail processing programs which use this package can be affected by this vulnerability; in particular, SpamAssassin is vulnerable if you use the -r or -w flags. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm | CVE #(s): | CAN-2002-1323 | |||||||||||||||
| Created: | October 9, 2002 | Updated: | February 20, 2004 | |||||||||||||||
| Description: | usePerl has a description of a vulnerability in the Safe.pm Perl module. It seems that if a Safe compartment is used more than once, it ceases to be safe. The problem is fixed in Safe 2.08. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Apache 2 - denial of service
| Package(s): | apache | CVE #(s): | CAN-2003-0189 CAN-2003-0245 | ||||||||||||||||||
| Created: | May 28, 2003 | Updated: | June 16, 2003 | ||||||||||||||||||
| Description: | A new set of denial of service vulnerabilities has been found in Apache versions 2.0 through 2.0.45. The potential for a remote code exploit apparently exists as well. See the Apache 2.0.46 announcement for more information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
bind buffer overflow vulnerability in DNS resolver libraries
| Package(s): | bind glibc | CVE #(s): | CAN-2002-0651 CAN-2002-0684 | |||||||||||||||||||||||||||||||||||||||||||||
| Created: | July 8, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||||||||||||||
| Description: | The BIND 4.9.8-OW2 patch and BIND 4.9.9 release (and thus 4.9.9-OW1)
include fixes for a libc related vulnerability which does not
affect Linux. Updates from
the Internet Software Consortium (ISC)
are available from here.
No release or branch of Openwall GNU/*/Linux (Owl) is known to be
affected, due to Olaf Kirch's fixes for this problem getting into the
GNU C library more than two years ago.
Unfortunatly that does not mean that Linux systems are not vulnerable. Similar code, without Olaf Firch's fixes, is in the glibc getnetbyXXX functions. These functions are described in the SuSE alert as " used by very few applications only, such as ifconfig and ifuser, which makes exploits less likely." CERT Advisory: CA-2002-19 Buffer Overflow in Multiple DNS Resolver Libraries | |||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||
Canna server: exploitable buffer overrun
| Package(s): | canna | CVE #(s): | CAN-2002-1158 CAN-2002-1159 | ||||||||||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | ||||||||||||
| Description: | Canna is a kana-kanji conversion server which is necessary for Japanese
language character input.
A buffer overflow bug in the Canna server up to and including version 3.5b2 allows a local user to gain the privileges of the user 'bin' which could lead to further exploits. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-1158 to this issue. A lack of validation of requests has been found that affects Canna version 3.6 and earlier. A malicious remote user could exploit this vulnerability to leak information, or cause a denial of service attack. (CAN-2002-1159) | ||||||||||||||
| Alerts: |
| ||||||||||||||
CUPS: vulnerability in the CUPS IPP implementation
| Package(s): | cups | CVE #(s): | CAN-2003-0195 | ||||||||||||||||||||||||
| Created: | May 27, 2003 | Updated: | July 22, 2003 | ||||||||||||||||||||||||
| Description: | Phil D'Amore of Red Hat discovered a vulnerability in the CUPS IPP (Internet Printing Protocol) implementation. The IPP implementation is single-threaded, which means only one request can be serviced at a time. An attacker could make a partial request that does not time out and therefore creates a denial of service. In order to exploit this bug, an attacker must have the ability to make a TCP connection to the IPP port (by default 631). | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
dvips: command execution vulnerability
| Package(s): | dvips | CVE #(s): | CAN-2002-0836 | ||||||||||||||||||||||||
| Created: | October 16, 2002 | Updated: | June 10, 2003 | ||||||||||||||||||||||||
| Description: | The dvips utility uses the system() function improperly when managing fonts. An attacker who can craft the right sort of print job can use this vulnerability to execute commands under the UID used by the print system. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
ethereal - format string vulnerability
| Package(s): | ethereal | CVE #(s): | CAN-2003-0081 | ||||||||||||||||||
| Created: | March 10, 2003 | Updated: | June 12, 2003 | ||||||||||||||||||
| Description: | The SOCKS dissector in Ethereal 0.9.9 is susceptible to a format string overflow. This vulnerability has been present in Ethereal since the SOCKS dissector was introduced in version 0.8.7. It was discovered by Georgi Guninski. Additionally, the NTLMSSP code is susceptible to a heap overflow. All users of Ethereal 0.9.9 and below are encouraged to upgrade. See the full advisory for additional information. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
Filename disclosure vulnerability in fam
| Package(s): | fam | CVE #(s): | CAN-2002-0875 | ||||||
| Created: | August 19, 2002 | Updated: | January 5, 2005 | ||||||
| Description: | "fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. | ||||||||
| Alerts: |
| ||||||||
fetchmail: buffer overflow
| Package(s): | fetchmail | CVE #(s): | CAN-2002-1365 | ||||||||||||||||||||||||
| Created: | December 17, 2002 | Updated: | October 20, 2003 | ||||||||||||||||||||||||
| Description: | Versions of fetchmail prior to 6.2.0 have (yet another) buffer overflow vulnerability which can be exploited remotely via a suitably crafted message. See this advisory for details. | ||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||
file - memory allocation problem, stack overflow
| Package(s): | file | CVE #(s): | CAN-2003-0102 | |||||||||||||||||||||||||||||||||
| Created: | March 4, 2003 | Updated: | June 4, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Jeff Johnson found a memory allocation problem and David Endler found a stack overflow corruption problem in the file "Automatic File Content Type Recognition Tool" version 3.41. Nalin Dahyabhai improved ELF section and program header handling in file version 3.40. The folks at OpenPKG believe that file versions without those modifications are vulnerable to memory allocation and stack overflow problems which put security at risk. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
gPS: multiple vulnerabilities
| Package(s): | gPS | CVE #(s): | ||||
| Created: | May 29, 2003 | Updated: | June 3, 2003 | |||
| Description: | gPS is a graphical application to watch system processes. In release 1.1.0 of the gps package, several security vulnerabilities were fixed, including several buffer overflows and a problem where any host could connect to the server. | |||||
| Alerts: |
| |||||
ghostscript: command execution vulnerability
| Package(s): | ghostscript | CVE #(s): | CAN-2003-0354 | |||||||||||||||
| Created: | June 2, 2003 | Updated: | June 16, 2003 | |||||||||||||||
| Description: | A flaw in unpatched versions of Ghostscript before 7.07 allows malicious postscript files to execute arbitrary commands even with -dSAFER enabled. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
Potential remote root exploit in glibc
| Package(s): | glibc | CVE #(s): | CAN-2002-0391 | ||||||||||||||||||||||||||||||||||||||||||
| Created: | August 14, 2002 | Updated: | June 29, 2003 | ||||||||||||||||||||||||||||||||||||||||||
| Description: | Felix von Leitner, discovered a
potential division by zero bug in
code derived from the SunRPC library which is used in glibc.This bug could be
exploited to gain unauthorized root access to software linking to glibc.
Updating as soon as practical is a good idea.
Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of differing security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information.
CERT/CC Vulnerability Note VU#192995 Integer overflow in xdr_array() function when deserializing the XDR stream | ||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||
glibc: DNS stub resolvers contain buffer overflow vulnerability
| Package(s): | glibc | CVE #(s): | CAN-2002-1146 | |||||||||
| Created: | November 7, 2002 | Updated: | February 5, 2004 | |||||||||
| Description: | DNS stub resolvers from multiple vendors contain a buffer overflow
vulnerability. The impact of this vulnerability appears to be limited to
denial of service. (See CERT Vulnerability Note
VU#738331)
The BIND 4 and BIND 8.2.x stub resolver libraries, and other libraries such as glibc 2.2.5 and earlier, libc, and libresolv, uses the maximum buffer size instead of the actual size when processing a DNS response, which causes the stub resolvers to read past the actual boundary ("read buffer overflow"), allowing remote attackers to cause a denial of service (crash). | |||||||||||
| Alerts: |
| |||||||||||
gnupg: key validation
| Package(s): | gnupg | CVE #(s): | CAN-2003-0255 | |||||||||||||||||||||||||||
| Created: | May 15, 2003 | Updated: | November 17, 2003 | |||||||||||||||||||||||||||
| Description: | A key validation bug was discovered in the GNU Privacy Guard (GPG) which would cause keys with more then one user ID to trust all user ID's with the amount of trust given to the most-valid user ID. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml | CVE #(s): | CAN-2003-0133 CAN-2003-0541 | ||||||||||||||||||
| Created: | April 14, 2003 | Updated: | April 18, 2005 | ||||||||||||||||||
| Description: | GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug when handling HTML messages. Alan Cox discovered that certain malformed messages could cause the Evolution mail component to crash. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
IMP - SQL injection vulnerability
| Package(s): | imp | CVE #(s): | CAN-2003-0025 | |||||||||
| Created: | January 15, 2003 | Updated: | July 8, 2003 | |||||||||
| Description: | The IMP IMAP server, versions 2.2.8 and prior, is vulnerable to SQL injection; see this advisory for details. Version 3.x is not vulnerable to this problem. | |||||||||||
| Alerts: |
| |||||||||||
kde: arbitrary code execution
| Package(s): | kde | CVE #(s): | CAN-2003-0204 | ||||||||||||||||||||||||||||||||||||
| Created: | April 10, 2003 | Updated: | June 30, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The KDE Security team has issued an advisory
on a vulnerability present in all versions of KDE that allow a remote
attacker to execute arbitrary commands under your account. KDE 3.0.5b and
KDE 3.1.1a have been released to address this problem. For KDE 2.2.2
patches to the KDE 2.2.2 sources have been made available.
KDE uses Ghostscript software for processing of PostScript (PS) and PDF files in a way that allows for the execution of arbitrary commands that can be contained in such files. An attacker can prepare a malicious PostScript or PDF file which will provide the attacker with access to the victim's account and privileges when the victim opens this malicious file for viewing or when the victim browses a directory containing such malicious file and has file previews enabled. An attacker can provide malicious files remotely to a victim in an e-mail, as part of a webpage, via an ftp server and possible other means. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel - ptrace-related vulnerability
| Package(s): | kernel | CVE #(s): | CAN-2003-0127 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | March 17, 2003 | Updated: | June 30, 2003 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Versions 2.2.x and 2.4.x of the Linux kernel contain a vulnerability in ptrace() which may be exploited by a local user to obtain root access. This announcement contains the details and a patch for 2.4.20. For 2.2 users, 2.2.25 has been released which contains the fix. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
kernel 2.4 - two new vulnerabilities
| Package(s): | kernel | CVE #(s): | CAN-2003-0244 CAN-2003-0246 | ||||||||||||||||||||||||||||||||||||
| Created: | May 14, 2003 | Updated: | July 25, 2003 | ||||||||||||||||||||||||||||||||||||
| Description: | The 2.4.20 (and prior) kernel contains a couple of vulnerabilities that are worth fixing.
| ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils | CVE #(s): | CAN-2003-0019 | |||
| Created: | February 7, 2003 | Updated: | January 21, 2005 | |||
| Description: | The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was incorrectly shipped setuid root. This could allow local users to control certain network interfaces, add and remove arp entries and routes, and put interfaces in and out of promiscuous mode. All users of the kernel-utils package should update to these packages that contain a version of uml_net that is not setuid root. Alternatively, as a work-around to this vulnerability issue the following command as root: chmod -s /usr/bin/uml_net | |||||
| Alerts: |
| |||||
kon2: buffer overflow allows local users to obtain root privileges
| Package(s): | kon2 | CVE #(s): | CAN-2002-1155 | |||||||||
| Created: | June 3, 2003 | Updated: | June 16, 2003 | |||||||||
| Description: | KON is a Kanji emulator for the console. There is a buffer overflow vulnerability in the command line parsing code portion of the kon program up to and including version 0.3.9b. This vulnerability, if appropriately exploited, can lead to local users being able to gain elevated (root) privileges. | |||||||||||
| Alerts: |
| |||||||||||
kopete: vulnerabiliy in GnuPG plugin
| Package(s): | kopete | CVE #(s): | CAN-2003-0256 | |||||||||
| Created: | May 8, 2003 | Updated: | June 27, 2003 | |||||||||
| Description: | A vulnerability was discovered in versions of kopete prior to 0.6.2. Kopete is a KDE instant messenger client. This vulnerabiliy is in the GnuPG plugin that allows for users to send each other GPG-encrypted instant messages. The plugin passes encrypted messages to gpg, but does no checking to sanitize the commandline passed to gpg. This can allow remote users to execute arbitrary code, with the permissions of the user running kopete, on the local system. | |||||||||||
| Alerts: |
| |||||||||||
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 | CVE #(s): | CAN-2002-1363 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | December 19, 2002 | Updated: | July 14, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | Glenn Randers-Pehrson discovered a problem in connection with 16-bit samples from libpng, an interface for reading and writing PNG (Portable Network Graphics) format files. The starting offsets for the loops are calculated incorrectly which causes a buffer overrun beyond the beginning of the row buffer. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
lv: privilege escalation
| Package(s): | lv | CVE #(s): | CAN-2003-0188 | ||||||||||||
| Created: | May 15, 2003 | Updated: | June 4, 2003 | ||||||||||||
| Description: | Leonard Stiles discovered that lv, a multilingual file viewer, would read options from a configuration file in the current directory. Because such a file could be placed there by a malicious user, and lv configuration options can be used to execute commands, this represented a security vulnerability. An attacker could gain the privileges of the user invoking lv, including root. | ||||||||||||||
| Alerts: |
| ||||||||||||||
lynx: CRLF injection vulnerability
| Package(s): | lynx | CVE #(s): | CAN-2002-1405 | |||||||||||||||||||||
| Created: | November 19, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||
| Description: | If lynx is given a url with some special characters on the command line, it will include faked headers in the HTTP query. This feature can be used to force scripts (that use Lynx for downloading files) to access the wrong site on a web server with multiple virtual hosts. | |||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||
Nessus NASL scripting engine security issues
| Package(s): | nessus | CVE #(s): | ||||
| Created: | May 27, 2003 | Updated: | August 12, 2004 | |||
| Description: | Some some vulnerabilities exsist in the Nessus NASL scripting engine. To exploit these flaws, an attacker would need to have a valid Nessus account as well as the ability to upload arbitrary Nessus plugins in the Nessus server (this option is disabled by default) or he/she would need to trick a user somehow into running a specially crafted nasl script. Read the full advisory for additional information. | |||||
| Alerts: |
| |||||
net-snmp: denial of service vulnerability
| Package(s): | net-snmp | CVE #(s): | CAN-2002-1170 | ||||||
| Created: | December 17, 2002 | Updated: | November 7, 2003 | ||||||
| Description: | The SNMP daemon included in the Net-SNMP package versions 5.0.1 through 5.0.4 can be caused to crash if it is sent a specially crafted packet. | ||||||||
| Alerts: |
| ||||||||
nethack: buffer overflow
| Package(s): | nethack, slashem, falconseye | CVE #(s): | CAN-2003-0358 CAN-2003-0359 | |||||||||||||||
| Created: | February 18, 2003 | Updated: | July 15, 2003 | |||||||||||||||
| Description: | Overflowing a buffer in nethack may lead to privilege escalation to games
uid.
Read the the full advisory for the details. Note that falconseye does not contain the file permission error CAN-2003-0359 which affected some other nethack packages. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
netscape-flash: buffer overflow
| Package(s): | netscape-flash | CVE #(s): | |||||||
| Created: | March 10, 2003 | Updated: | June 20, 2003 | ||||||
| Description: | Potentially exploitable buffer overflows exist in the Macromedia Flash Player. The full advisory is here. "The cumulative security patch is available today and addresses the potential for exploits surrounding buffer overflows (read/write) and sandbox integrity within the player, which might allow malicious users to gain access to a user's computer. The possibility of running native code on a users machine is a theoretical exploit, and extremely difficult to execute in practice. There are no known examples of running such native code from Macromedia Flash movies; however, even though this issue is difficult and theoretical in nature only, we are encouraging users to upgrade." | ||||||||
| Alerts: |
| ||||||||
openssh: timing attack leads to information disclosure
| Package(s): | openssh | CVE #(s): | CAN-2003-0190 | |||||||||||||||
| Created: | May 2, 2003 | Updated: | November 30, 2004 | |||||||||||||||
| Description: | From the advisory: "During a pen-test we stumbled across a nasty bug in OpenSSH-portable with PAM support enabled (via the --with-pam configure script switch). This bug allows a remote attacker to identify valid users on vulnerable systems, through a simple timing attack. The vulnerability is easy to exploit and may have high severity, if combined with poor password policies and other security problems that allow local privilege escalation." | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
pam_xauth: root exploit
| Package(s): | pam_xauth | CVE #(s): | CAN-2002-1160 | |||||||||
| Created: | February 13, 2003 | Updated: | July 10, 2003 | |||||||||
| Description: | The pam_xauth module is used to forward xauth information from user to user
in applications such as 'su'.
Andreas Beck discovered that versions of pam_xauth supplied with Red Hat Linux since version 7.1 would forward authorization information from the root account to unprivileged users. This could be used by a local attacker to gain access to an administrator's X session. In order to exploit this vulnerability, the attacker would have to get the administrator, as root, to use su to the account belonging to the attacker. | |||||||||||
| Alerts: |
| |||||||||||
PHP: vulnerability in mail function
| Package(s): | php | CVE #(s): | CAN-2002-0985 CAN-2002-0986 | |||||||||||||||
| Created: | November 13, 2002 | Updated: | October 1, 2003 | |||||||||||||||
| Description: | Two vulnerabilities exists in the mail() PHP function. The first one allows the execution of any program/script bypassing safe_mode restriction, the second one may give an open-relay script if the mail() function is not carefully used in PHP scripts. See this Bugtraq report for more details. Note that this is a different vulnerability than the previous PHP mail() problem, which affected versions through 4.1.0. | |||||||||||||||||
| Alerts: |
| |||||||||||||||||
PostgreSQL - more buffer overflows
| Package(s): | postgresql | CVE #(s): | |||||||||||||
| Created: | February 12, 2003 | Updated: | November 7, 2003 | ||||||||||||
| Description: | A new set of buffer overflows has been discovered in PostgreSQL 7.2.2; they affect the circle_poly(), path_encode(), and path_addr() functions. Exploiting these overflows requires that the attacker first obtain a connection to the PostgreSQL server. | ||||||||||||||
| Alerts: |
| ||||||||||||||
PoPTop: remotely exploitable buffer overflow
| Package(s): | pptpd | CVE #(s): | CAN-2003-0213 | |||||||||
| Created: | April 28, 2003 | Updated: | June 6, 2003 | |||||||||
| Description: | The PoPToP PPTP server contains a remotely exploitable buffer overflow; read the full advisory for more information. | |||||||||||
| Alerts: |
| |||||||||||
Local arbitrary code execution vulnerability in Python
| Package(s): | python | CVE #(s): | CAN-2002-1119 | |||||||||||||||||||||||||||||||||
| Created: | August 28, 2002 | Updated: | October 1, 2003 | |||||||||||||||||||||||||||||||||
| Description: | Zack Weinberg discovered that os._execvpe from os.py uses a predictable name which could lead to execution of arbitrary code. According to the Debian advisory, the problem was present in Python versions 1.5, 2.1 and 2.2. | |||||||||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||||||||
squirrelmail: more cross-site scripting vulnerabilities
| Package(s): | squirrelmail | CVE #(s): | CAN-2003-0160 | ||||||
| Created: | April 24, 2003 | Updated: | June 4, 2003 | ||||||
| Description: | SquirrelMail is a webmail package written in PHP. Multiple vulnerabilities
have been found which affect versions of SquirrelMail shipped with Red Hat
Linux 8.0 and Red Hat Linux 9.
Cross-site scripting vulnerabilities in SquirrelMail version 1.2.10 and earlier allow remote attackers to execute script as other Web users via mailbox displays, message displays, or search results displays. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0160 to these issues. All users are advised to upgrade to these errata packages containing SquirrelMail version 1.2.11, which is not vulnerable to these issues. | ||||||||
| Alerts: |
| ||||||||
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip | CVE #(s): | CAN-2001-1267 CAN-2001-1268 CAN-2001-1269 CAN-2002-0399 | |||||||||||||||||||||||||||
| Created: | October 1, 2002 | Updated: | April 9, 2006 | |||||||||||||||||||||||||||
| Description: | The tar utility does not properly filter file names containing "../", meaning that a hostile archive can, if unpacked by an unsuspecting user, overwrite any file that is writable by that user. GNU tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42 has the same vulnerability. | |||||||||||||||||||||||||||||
| Alerts: |
| |||||||||||||||||||||||||||||
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 | CVE #(s): | |||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | May 21, 2002 | Updated: | October 5, 2004 | ||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | This vulnerability, originally thought to be confined to BSD-derived systems, was first covered in the July 26th Security Summary. It is now known that Linux telnet daemons are vulnerable as well. | ||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||
tomcat: insecure directory mode
| Package(s): | tomcat | CVE #(s): | ||||
| Created: | June 2, 2003 | Updated: | June 3, 2003 | |||
| Description: | Versions prior to tomcat-4.1.24 created /opt/tomcat with a directory mode which allowed users to access files containing passwords. | |||||
| Alerts: |
| |||||
typespeed: buffer overflow
| Package(s): | typespeed | CVE #(s): | |||||||
| Created: | January 1, 2003 | Updated: | June 17, 2003 | ||||||
| Description: | A problem has been discovered in the typespeed, a game that lets you measure your typematic speed. By overflowing a buffer a local attacker could execute arbitrary commands under the group id games. | ||||||||
| Alerts: |
| ||||||||
uw-imapd: vulnerabilities in IMAP clients written with C and C++
| Package(s): | uw-imapd | CVE #(s): | ||||
| Created: | June 2, 2003 | Updated: | June 3, 2003 | |||
| Description: | There are two common vulnerabilities in IMAP clients written with C and
C++:
1. Handling huge literal sizes. Many clients do malloc(literal_size+1) and then read the literal into it. Problem is that if literal_size is UINT_MAX-1, the +1 overflows it into malloc(0) but server is still allowed to write UINT_MAX-1 bytes of data there. There may also be similiar problems if literal size is read into signed integer which causes it to become negative. Some clients use atoi(), so giving -1 as literal size is equilevant to giving UINT_MAX-1. IMAP servers can also be vulnerable to this one if they're not careful. 2. Handling huge mailbox sizes (ie. huge value in EXISTS reply). Many clients do malloc(messages_count * sizeof(struct message)) and read data into it. Read the full advisory for more information. | |||||
| Alerts: |
| |||||
vim - modeline vulnerability
| Package(s): | vim | CVE #(s): | CAN-2002-1377 | ||||||||||||||||||
| Created: | January 16, 2003 | Updated: | February 10, 2004 | ||||||||||||||||||
| Description: | VIM allows a user to set the modeline differently for each edited text file by placing special comments in the files. Georgi Guninski found that these comments can be carefully crafted in order to call external programs. This could allow an attacker to create a text file such that when it is opened arbitrary commands are executed. | ||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||
vixie-cron: Local vulnerability
| Package(s): | vixie-cron | CVE #(s): | CVE-2001-0559 | |||||||||
| Created: | April 17, 2003 | Updated: | October 3, 2003 | |||||||||
| Description: | From the ISS
advisory:
"Vixie Cron is a scheduling daemon that ships with several Linux
distributions. Vixie Cron version 3.0pl1 could allow a local attacker to
gain root privileges. Crontab fails to properly drop privileges in certain
cases after a crontab modification operation. A local attacker could
exploit this vulnerability to gain root privileges on the system since
crontab is installed setuid root."
Note: this vulnerability is dated May 07 2001, and was first mentioned in LWN on the May 10, 2001 security page. | |||||||||||
| Alerts: |
| |||||||||||
wget:directory traversal bug
| Package(s): | wget | CVE #(s): | CAN-2002-1344 | |||||
| Created: | December 10, 2002 | Updated: | October 1, 2003 | |||||
| Description: | Versions of wget prior to 1.8.2-4 contain a bug that permits a malicious
FTP server to create or overwrite files anywhere on the local file system.
FTP clients must check to see if an FTP server's response to the NLST command includes any directory information along with the list of filenames required by the FTP protocol (RFC 959, section 4.1.3). If the FTP client fails to do so, a malicious FTP server can send filenames beginning with '/' or containing '/../' which can be used to direct a vulnerable FTP client to write files (such as .forward, .rhosts, .shosts, etc.) that can then be used for later attacks against the client machine. See also this Bugtraq article from 1997. | |||||||
| Alerts: |
| |||||||