|
|
| |
|
| |
Security
Brief items
The mremap() system call allows a process to change its virtual
memory layout by adjusting the size and location of a virtual memory area.
One of the things mremap() can do is move one virtual memory area
(VMA) into the middle of another one. In that case, the target VMA will be
split in two so that the space in the middle can be freed and reused for
the VMA being moved. As long as the calling process knows what it is doing
(it doesn't need the pages being replaced by the moved area, for example),
all of this is fine.
An interesting thing can happen in the 2.4.24 and 2.6.2 kernels, however.
The kernel enforces a limit on the maximum number of VMAs that any one
process can have. If the kernel attempts to split a VMA in response to the
sort of mremap() call described above, it will check the process's
VMA usage against the limit. Splitting requires the addition of a new VMA,
so this check is necessary. If the limit has been reached, the internal
call which splits the VMA (do_munmap()) will return a failure
status. So far, so good.
The problem is that mremap() did not check to see if
do_munmap() succeeded or not. If the split failed,
mremap() would continue anyway. The end result is that the old
target VMA would remain, with its existing permissions, but some of its
associated page table entries would be overwritten by entries from the VMA
being moved. In other words, an attacker can exploit this bug to obtain
access to a set of pages which the kernel would not otherwise have
allowed. This vulnerability can be exploited by a local hacker to obtain
root access on any Linux system running a vulnerable kernel.
The solution is to upgrade to 2.4.25 or 2.6.3, or to apply the appropriate
distributor security update. The LWN
vulnerability entry tracks the available updates. For more information
on the vulnerability, see this advisory from
Paul Starzetz.
Comments (6 posted)
New vulnerabilities
cgiemail vulnerability allows unauthorized mail relaying
| Package(s): | cgiemail |
CVE #(s): | CAN-2002-1575
|
| Created: | February 13, 2004 |
Updated: | February 18, 2004 |
| Description: |
A vulnerability in cgiemail, a cgi program, allows mail to be sent
to arbitrary addresses, making the host capable of generating spam.
New cgiemail packages fix open mail relaying. |
| Alerts: |
|
Comments (none posted)
elm: vulnerability in frm command
| Package(s): | elm |
CVE #(s): | CAN-2003-0966
|
| Created: | February 13, 2004 |
Updated: | February 18, 2004 |
| Description: |
Elm is a terminal mode email user agent. The frm command is provided as
part of the Elm packages and gives a summary list of the sender and subject
of selected messages in a mailbox or folder.
A buffer overflow vulnerability was found in the frm command. An attacker
could create a message with an overly long Subject line such that when the
frm command is run by a victim arbitrary code is executed. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0966 to this issue. |
| Alerts: |
|
Comments (1 posted)
kernel: local root exploit
Comments (none posted)
metamail: integer and buffer overflows
| Package(s): | metamail |
CVE #(s): | CAN-2004-0104
CAN-2004-0105
|
| Created: | February 18, 2004 |
Updated: | May 21, 2004 |
| Description: |
Versions of metamail through 2.7 contain a set of integer and buffer overflows which are remotely exploitable via a properly crafted message. |
| Alerts: |
|
Comments (none posted)
phpMyAdmin: directory traversal
| Package(s): | phpMyAdmin |
CVE #(s): | |
| Created: | February 17, 2004 |
Updated: | February 18, 2004 |
| Description: |
A component of the phpMyAdmin software package (export.php) does not
properly verify input that is passed to it from a remote user. Since the
input is used to include other files, it is possible to launch a directory
traversal attack. |
| Alerts: |
|
Comments (none posted)
PWLib: possible Denial of Service
| Package(s): | PWLib |
CVE #(s): | CAN-2004-0097
|
| Created: | February 13, 2004 |
Updated: | April 9, 2004 |
| Description: |
PWLib is a cross-platform class library designed to support the OpenH323
project. OpenH323 provides an implementation of the ITU H.323
teleconferencing protocol, used by packages such as Gnome Meeting.
A test suite for the H.225 protocol (part of the H.323 family) provided by
the NISCC uncovered bugs in PWLib prior to version 1.6.0. An attacker
could trigger these bugs by sending carefully crafted messages to an
application. The effects of such an attack can vary depending on the
application, but would usually result in a Denial of Service. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0097 to this issue. |
| Alerts: |
|
Comments (none posted)
samba: access to disabled accounts
| Package(s): | samba |
CVE #(s): | CAN-2004-0082
|
| Created: | February 18, 2004 |
Updated: | February 19, 2004 |
| Description: |
Samba 3.0.0 and 3.0.1 contains a difficult-to-exploit vulnerability which could give an attacker access to a disabled account. |
| Alerts: |
|
Comments (none posted)
Updated vulnerabilities
apache: buffer overflows in mod_alias, mod_rewrite
| Package(s): | apache |
CVE #(s): | CAN-2003-0542
CAN-2003-0789
|
| Created: | October 28, 2003 |
Updated: | February 13, 2004 |
| Description: |
André Malo discovered
buffer overflows in the mod_alias and mod_rewrite modules of the Apache
webserver. These occurred if a regular expression with more than 9
capturing parenthesis was configured. To exploit this, an attacker would
need to be able to locally create a carefully crafted configuration file
(.htaccess or httpd.conf).
CAN-2003-0542
Another buffer overflow in Apache 2.0.47 and earlier in mod_cgid's
mishandling of CGI redirect paths could result in CGI output going to the
wrong client when a threaded MPM is used.
CAN-2003-0789. |
| Alerts: |
|
Comments (none posted)
apache2: Denial of Service vulnerability
| Package(s): | apache2 |
CVE #(s): | |
| Created: | September 29, 2003 |
Updated: | March 25, 2004 |
| Description: |
A problem was discovered in Apache2 where CGI scripts that write more than
4k to the standard error stream will hang the script's execution. This problem can lead to a
denial of service situation. See this bug
report for additional details. |
| Alerts: |
|
Comments (none posted)
bind: cache poisoning
| Package(s): | bind |
CVE #(s): | CAN-2003-0914
|
| Created: | November 26, 2003 |
Updated: | February 19, 2004 |
| Description: |
A cache poisoning vulnerability in BIND may be exploited causing a
temporary denial of service until the bad record expires from the cache. |
| Alerts: |
|
Comments (none posted)
CUPS: denial of service
| Package(s): | CUPS |
CVE #(s): | CAN-2003-0788
|
| Created: | November 3, 2003 |
Updated: | March 4, 2004 |
| Description: |
Paul Mitcheson reported a situation where the CUPS Internet Printing
Protocol (IPP) implementation in CUPS versions prior to 1.1.19 would get
into a busy loop. This could result in a denial of service. In order to
exploit this bug an attacker would need to have the ability to make a TCP
connection to the IPP port (by default 631).
|
| Alerts: |
|
Comments (none posted)
cvs: possible root compromise
| Package(s): | cvs |
CVE #(s): | CAN-2003-0977
|
| Created: | December 29, 2003 |
Updated: | February 13, 2004 |
| Description: |
Stable CVS 1.11.11 has been released,
adding code to the CVS server to prevent it from continuing as root after a
user login, as an extra failsafe against a compromise of the CVSROOT/passwd
file. |
| Alerts: |
|
Comments (none posted)
ethereal: protocol dissector and other vulnerabilities
| Package(s): | ethereal |
CVE #(s): | CAN-2003-0925
CAN-2003-0926
CAN-2003-0927
CAN-2003-1012
CAN-2003-1013
|
| Created: | December 19, 2003 |
Updated: | February 13, 2004 |
| Description: |
Serious issues have been discovered in two ethereal protocol dissectors.
Both vulnerabilities will make the Ethereal application crash. The Q.931
vulnerability also affects Tethereal. It is not known if either
vulnerability can be used to make Ethereal or Tethereal run arbitrary
code. (CAN-2003-1012 and CAN-2003-1013) |
| Alerts: |
|
Comments (none posted)
Filename disclosure vulnerability in fam
| Package(s): | fam |
CVE #(s): | CAN-2002-0875
|
| Created: | August 19, 2002 |
Updated: | January 5, 2005 |
| Description: |
"fam" (file alteration monitor) watches files and directories for changes and lets interested applications know when something happens. This package has a flaw in its group handling that blocks some legitimate operations while, at the same time, exposing the names of files that should otherwise be invisible. |
| Alerts: |
|
Comments (none posted)
fetchmail may crash on specially crafted message
| Package(s): | fetchmail |
CVE #(s): | CAN-2003-0792
|
| Created: | October 17, 2003 |
Updated: | April 8, 2004 |
| Description: |
A bug was discovered in fetchmail 6.2.4 where a specially crafted email
message can cause fetchmail to crash.
|
| Alerts: |
|
Comments (none posted)
fileutils/wu-ftpd: denial of service
| Package(s): | fileutils |
CVE #(s): | CAN-2003-0854
|
| Created: | October 22, 2003 |
Updated: | March 2, 2004 |
| Description: |
There is, it seems, an integer overflow vulnerability in "ls" which can be exploited via wu-ftpd to create a denial of service situation. See this advisory from Georgi Guninski for details. |
| Alerts: |
|
Comments (none posted)
gaim: remote overflows
| Package(s): | gaim |
CVE #(s): | CAN-2004-0006
CAN-2004-0007
CAN-2004-0008
|
| Created: | January 26, 2004 |
Updated: | February 17, 2004 |
| Description: |
Stefan Esser has discovered several vulnerabilities in Gaim 0.75. This advisory has details of 12 separate
vulnerabilities. |
| Alerts: |
|
Comments (none posted)
gallery: code injection
| Package(s): | gallery |
CVE #(s): | |
| Created: | February 12, 2004 |
Updated: | February 12, 2004 |
| Description: |
Gallery (through versions 1.4.1) suffers from a PHP code injection vulnerability which can provide a remote attacker with access to the web server process. |
| Alerts: |
|
Comments (none posted)
GnuPG: ElGamal signing keys compromised
| Package(s): | gnupg |
CVE #(s): | CAN-2003-0971
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
A severe vulnerability was discovered in GnuPG by Phong Nguyen relating to
ElGamal sign+encrypt keys. This
email message from Werner Koch contains more information. "Phong
Nguyen identified a severe bug in the way GnuPG creates and uses ElGamal
keys for signing. This is a significant security failure which can lead to
a compromise of almost all ElGamal keys used for signing. Note that this
is a real world vulnerability which will reveal your private key within a
few seconds." |
| Alerts: |
|
Comments (3 posted)
gtkhtml: malformed messages cause crash
| Package(s): | gtkhtml |
CVE #(s): | CAN-2003-0133
CAN-2003-0541
|
| Created: | April 14, 2003 |
Updated: | April 18, 2005 |
| Description: |
GtkHTML is the HTML rendering widget used by the Evolution mail reader.
GtkHTML supplied with versions of Evolution prior to 1.2.4 contain a bug
when handling HTML messages. Alan Cox discovered that certain malformed
messages could cause the Evolution mail component to crash. |
| Alerts: |
|
Comments (none posted)
iproute: local denial of service
| Package(s): | iproute net-tools |
CVE #(s): | CAN-2003-0856
|
| Created: | November 25, 2003 |
Updated: | December 14, 2004 |
| Description: |
The iproute utility is susceptible to spoofed netlink messages sent by local users, with the result that denial of service attacks are possible. |
| Alerts: |
|
Comments (none posted)
kdepim: VCF file information reader vulnerability
| Package(s): | kdepim |
CVE #(s): | CAN-2003-0988
|
| Created: | January 15, 2004 |
Updated: | May 26, 2004 |
| Description: |
KDE has issued a security advisory for all
versions of kdepim as distributed with KDE versions 3.1.0 through 3.1.4
inclusive. A carefully crafted .VCF file potentially enables local
attackers to compromise the privacy of a victim's data or execute arbitrary
commands with the victim's privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0988 to
this issue. |
| Alerts: |
|
Comments (none posted)
kernel: privilege vulnerability on AMD64
| Package(s): | kernel |
CVE #(s): | CAN-2004-0001
|
| Created: | January 16, 2004 |
Updated: | February 17, 2004 |
| Description: |
On AMD64 systems, a fix was made to the eflags checking in
32-bit ptrace emulation that could have allowed local users
to elevate their privileges. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0001 to this issue. |
| Alerts: |
|
Comments (none posted)
kernel: local root exploit in 2.4.22
| Package(s): | kernel |
CVE #(s): | CAN-2003-0961
|
| Created: | December 1, 2003 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in the Linux kernel versions 2.4.22 and
previous. A flaw in bounds checking in the do_brk() function can allow a
local attacker to gain root privileges. This vulnerability is known to be
exploitable.
The 2.4.23 kernel contains the fix. For more details on how this vulnerability works, see this LWN article. |
| Alerts: |
|
Comments (1 posted)
kernel-utils: setuid vulnerability
| Package(s): | kernel-utils |
CVE #(s): | CAN-2003-0019
|
| Created: | February 7, 2003 |
Updated: | January 21, 2005 |
| Description: |
The kernel-utils package contains several utilities that can be used to
control the kernel or machine hardware. In Red Hat Linux 8.0 this package
contains user mode linux (UML) utilities.
The uml_net utility in kernel-utils packages with Red Hat Linux 8.0 was
incorrectly shipped setuid root. This could allow local users to control
certain network interfaces, add and remove arp entries and routes, and put
interfaces in and out of promiscuous mode.
All users of the kernel-utils package should update to these packages that
contain a version of uml_net that is not setuid root.
Alternatively, as a work-around to this vulnerability issue the following
command as root:
chmod -s /usr/bin/uml_net |
| Alerts: |
|
Comments (none posted)
lftp buffer overflows
| Package(s): | lftp |
CVE #(s): | CAN-2003-0963
|
| Created: | December 15, 2003 |
Updated: | February 13, 2004 |
| Description: |
According to this advisory versions of lftp
prior to 2.6.10 are vulnerable to two exploitable buffer overflow
problems. Both occur when you connect to a web server with lftp using HTTP
or HTTPS, and then use lftp's "ls" or "rels" commands on specially prepared
directories on the web server. |
| Alerts: |
|
Comments (none posted)
libpng, libpng3: buffer overflow
| Package(s): | libpng, libpng3 |
CVE #(s): | CAN-2002-1363
|
| Created: | December 19, 2002 |
Updated: | July 14, 2004 |
| Description: |
Glenn Randers-Pehrson discovered a problem in connection with 16-bit
samples from libpng, an interface for reading and writing PNG
(Portable Network Graphics) format files. The starting offsets for
the loops are calculated incorrectly which causes a buffer overrun
beyond the beginning of the row buffer. |
| Alerts: |
|
Comments (none posted)
libtool - Insecure handling of temporary files
| Package(s): | libtool |
CVE #(s): | |
| Created: | February 5, 2004 |
Updated: | March 8, 2004 |
| Description: |
GNU libtool consists of a set of shell scripts used to build shared
libraries.
Joseph S. Myers
and Stefan
Nordhausen independently found a vulnerability in the way
the ltmain.sh script (which is part of the libtool package) creates
temporary directories for its use.
A local attacker could exploit this vulnerability to change/delete
arbitrary files in the system on behalf of the user who is calling the
script. The vulnerability has been fixed in the 1.5.2 version of libtool. |
| Alerts: |
|
Comments (none posted)
mailman: cross-site scripting vulnerabilities
| Package(s): | mailman |
CVE #(s): | CAN-2003-0965
CAN-2003-0992
|
| Created: | February 6, 2004 |
Updated: | March 5, 2004 |
| Description: |
Dirk Mueller discovered a cross-site scripting bug in the admin interface
in versions of Mailman 2.1 before 2.1.4. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0965 to
this issue.
A cross-site scripting bug in the 'create' CGI script affects versions of
Mailman 2.1 before 2.1.3. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0992 to this issue. |
| Alerts: |
|
Comments (none posted)
mailman denial of service
| Package(s): | mailman |
CVE #(s): | CAN-2003-0991
|
| Created: | February 9, 2004 |
Updated: | May 25, 2004 |
| Description: |
Matthew Galgoci of Red Hat discovered a Denial of Service (DoS)
vulnerability in versions of Mailman prior to 2.1. An attacker could send
a carefully-crafted message causing mailman to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2003-0991 to this issue. |
| Alerts: |
|
Comments (1 posted)
mc: arbitrary code execution
| Package(s): | mc |
CVE #(s): | CAN-2003-1023
|
| Created: | January 16, 2004 |
Updated: | April 5, 2004 |
| Description: |
A vulnerability was discovered in Midnight Commander, a file manager,
whereby a malicious archive (such as a .tar file) could cause arbitrary
code to be executed if opened by Midnight Commander. |
| Alerts: |
|
Comments (none posted)
mikmod: buffer overflow
| Package(s): | mikmod |
CVE #(s): | CAN-2003-0427
|
| Created: | June 16, 2003 |
Updated: | June 16, 2005 |
| Description: |
Ingo Saitz discovered a bug in mikmod whereby a long filename inside
an archive file can overflow a buffer when the archive is being read
by mikmod. |
| Alerts: |
|
Comments (none posted)
mod_python: denial of service vulnerability
| Package(s): | mod_python |
CVE #(s): | CAN-2003-0973
|
| Created: | January 27, 2004 |
Updated: | October 4, 2004 |
| Description: |
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed query. Mod_python
2.7.9 was released to fix the vulnerability, however, because the
vulnerability has not been fully fixed, version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability. |
| Alerts: |
|
Comments (none posted)
monkeyd: denial of service
| Package(s): | monkeyd |
CVE #(s): | |
| Created: | February 12, 2004 |
Updated: | February 12, 2004 |
| Description: |
The monkeyd HTTP server suffers from a parsing bug which can be exploited to crash the server process. Upgrading to version 0.8.2 fixes the problem. |
| Alerts: |
|
Comments (none posted)
mpg123: heap overflow
| Package(s): | mpg123 |
CVE #(s): | CAN-2003-0865
|
| Created: | November 12, 2003 |
Updated: | February 19, 2004 |
| Description: |
Versions of mpg123 through 0.59s contain a heap overflow which may be exploited remotely (by a hostile server). See this advisory for details. |
| Alerts: |
|
Comments (none posted)
mpg321: format string vulnerability
| Package(s): | mpg321 |
CVE #(s): | CAN-2003-0969
|
| Created: | January 6, 2004 |
Updated: | March 28, 2005 |
| Description: |
A vulnerability was discovered in mpg321, a command-line mp3 player,
whereby user-supplied strings were passed to printf(3) unsafely. This
vulnerability could be exploited by a remote attacker to overwrite
memory, and possibly execute arbitrary code. In order for this
vulnerability to be exploited, mpg321 would need to play a malicious
mp3 file (including via HTTP streaming). |
| Alerts: |
|
Comments (none posted)
mplayer: remotely exploitable buffer overflow vulnerability
| Package(s): | mplayer |
CVE #(s): | CAN-2003-0835
|
| Created: | September 29, 2003 |
Updated: | April 6, 2004 |
| Description: |
A remotely exploitable buffer overflow vulnerability was found in
MPlayer. A malicious host can craft a harmful ASX header, and trick MPlayer
into executing arbitrary code upon parsing that header. Read the full advisory
for details. |
| Alerts: |
|
Comments (none posted)
mutt: buffer overflow
| Package(s): | mutt |
CVE #(s): | CAN-2004-0078
|
| Created: | February 12, 2004 |
Updated: | March 26, 2004 |
| Description: |
mutt suffers from a buffer overflow in its "index menu" code. This overflow can be exploited via a hostile message to crash mutt and, perhaps, execute arbitrary code. Version 1.4.2 fixes the problem; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
Nessus NASL scripting engine security issues
| Package(s): | nessus |
CVE #(s): | |
| Created: | May 27, 2003 |
Updated: | August 12, 2004 |
| Description: |
Some some vulnerabilities exsist in the Nessus NASL scripting engine. To
exploit these flaws, an attacker would need to have a valid Nessus account
as well as the ability to upload arbitrary Nessus plugins in the Nessus
server (this option is disabled by default) or he/she would need to trick a
user somehow into running a specially crafted nasl script. Read the full
advisory for additional information. |
| Alerts: |
|
Comments (none posted)
netpbm: insecure temporary files
| Package(s): | netpbm |
CVE #(s): | CAN-2003-0924
|
| Created: | January 19, 2004 |
Updated: | December 29, 2004 |
| Description: |
netpbm is graphics conversion toolkit made up of a large number of
single-purpose programs. Many of these programs were found to create
temporary files in an insecure manner, which could allow a local
attacker to overwrite files with the privileges of the user invoking a
vulnerable netpbm tool. |
| Alerts: |
|
Comments (1 posted)
Net-SNMP: security bugs in versions before 5.0.9
| Package(s): | Net-SNMP |
CVE #(s): | CAN-2003-0935
|
| Created: | December 2, 2003 |
Updated: | February 13, 2004 |
| Description: |
The Net-SNMP project includes various Simple Network Management Protocol
(SNMP) tools. A security issue in Net-SNMP versions before 5.0.9 could
allow an existing user/community to gain access to data in MIB objects that
were explicitly excluded from their view.
Version 5.0.9 of Net-SNMP is not vulnerable to this issue. In addition,
Net-SNMP 5.0.9 fixes a number of other minor bugs. |
| Alerts: |
|
Comments (none posted)
nfs-utils xlog() off-by-one bug
| Package(s): | nfs-utils |
CVE #(s): | CAN-2003-0252
|
| Created: | July 14, 2003 |
Updated: | March 8, 2004 |
| Description: |
Linux NFS utils package contains remotely exploitable off-by-one bug.
A local or remote attacker could exploit this vulnerability by sending
specially crafted request to rpc.mountd daemon. See this BugTraq post for more details. |
| Alerts: |
|
Comments (none posted)
openssh: timing attack leads to information disclosure
| Package(s): | openssh |
CVE #(s): | CAN-2003-0190
|
| Created: | May 2, 2003 |
Updated: | November 30, 2004 |
| Description: |
From the advisory:
"During a pen-test we stumbled across a nasty bug in OpenSSH-portable
with PAM support enabled (via the --with-pam configure script switch). This
bug allows a remote attacker to identify valid users on vulnerable systems,
through a simple timing attack. The vulnerability is easy to exploit and
may have high severity, if combined with poor password policies and other
security problems that allow local privilege escalation." |
| Alerts: |
|
Comments (1 posted)
perl information leak
| Package(s): | perl |
CVE #(s): | CAN-2003-0618
|
| Created: | February 2, 2004 |
Updated: | April 21, 2004 |
| Description: |
Paul Szabo discovered a number of bugs in suidperl, a helper
program to run perl scripts with setuid privileges. By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users. |
| Alerts: |
|
Comments (none posted)
PHP setting leaks from .htaccess files on virtual hosts
| Package(s): | php |
CVE #(s): | |
| Created: | February 9, 2004 |
Updated: | February 12, 2004 |
| Description: |
If the server configuration "php.ini" file has "register_globals = on"
and a request is made to one virtual host (which has "php_admin_flag
register_globals off") and the next request is sent to the another
virtual host (which does not have the setting) through the same Apache
child, the setting will persist.
Depending on the server and site, an attacker may be able to exploit
global variables to gain access to reserved areas, such as MySQL
passwords, or this vulnerability may simply cause a lack of
functionality. As a result, users are urged to upgrade their PHP
installations. |
| Alerts: |
|
Comments (none posted)
postfix: denial of service vulnerabilities
| Package(s): | postfix |
CVE #(s): | CAN-2003-0468
CAN-2003-0540
|
| Created: | August 5, 2003 |
Updated: | May 27, 2004 |
| Description: |
The postfix MTA, versions through 1.1.12 (but not 2.0) is subject to two remotely exploitable denial of service vulnerabilities; see this advisory from Michal Zalewski for details. |
| Alerts: |
|
Comments (none posted)
rsync - remotely exploitable heap overflow
| Package(s): | rsync |
CVE #(s): | CAN-2003-0962
|
| Created: | December 4, 2003 |
Updated: | March 3, 2004 |
| Description: |
An advisory has gone out warning of a
remotely exploitable heap overflow vulnerability in rsync versions 2.5.6
and prior. If you are running an rsync server, you will want to apply a
distributor patch or upgrade to 2.5.7 in the near future. |
| Alerts: |
|
Comments (none posted)
Multiple-use vulnerability in Safe.pm
| Package(s): | Safe.pm |
CVE #(s): | CAN-2002-1323
|
| Created: | October 9, 2002 |
Updated: | February 20, 2004 |
| Description: |
usePerl has a
description of a vulnerability in the Safe.pm Perl module. It seems
that if a Safe compartment is used more than once, it ceases to be safe.
The problem is fixed in Safe 2.08. |
| Alerts: |
|
Comments (none posted)
sane-backends: several vulnerabilities
| Package(s): | sane-backends |
CVE #(s): | CAN-2003-0773
CAN-2003-0774
CAN-2003-0775
CAN-2003-0776
CAN-2003-0777
CAN-2003-0778
|
| Created: | September 11, 2003 |
Updated: | February 20, 2004 |
| Description: |
Alexander Hvostov, Julien Blache and Aurelien Jarno discovered several
security-related problems in the sane-backends package, which contains
an API library for scanners including a scanning daemon (in the
package libsane) that can be remotely exploited. These problems allow
a remote attacker to cause a segfault fault and/or consume arbitrary
amounts of memory. The attack is successful, even if the attacker's
computer isn't listed in saned.conf.
You are only vulnerable if you actually run saned e.g. in xinetd or
inetd. If the entries in the configuration file of xinetd or inetd
respectively are commented out or do not exist, you are safe.
Try "telnet localhost 6566" on the server that may run saned. If you
get "connection refused" saned is not running and you are safe.
The Common Vulnerabilities and Exposures project identifies the
following problems:
-
CAN-2003-0773: saned checks the identity (IP address) of the remote
host only after the first communication took place (SANE_NET_INIT). So
everyone can send that RPC, even if the remote host is not allowed to
scan (not listed in saned.conf).
-
CAN-2003-0774: saned lacks error checking nearly everywhere in the
code. So connection drops are detected very late. If the drop of the
connection isn't detected, the access to the internal wire buffer leaves
the limits of the allocated memory. So random memory "after" the wire
buffer is read which will be followed by a segmentation fault.
-
CAN-2003-0775: If saned expects strings, it mallocs the memory
necessary to store the complete string after it receives the size of the
string. If the connection was dropped before transmitting the size,
malloc will reserve an arbitrary size of memory. Depending on that size
and the amount of memory available either malloc fails (->saned quits
nicely) or a huge amount of memory is allocated. Swapping and OOM
measures may occur depending on the kernel.
-
CAN-2003-0776: saned doesn't check the validity of the RPC numbers
it gets before getting the parameters.
-
CAN-2003-0777: If debug messages are enabled and a connection is
dropped, non-null-terminated strings may be printed and segmentation
faults may occur.
-
CAN-2003-0778: It's possible to allocate an arbitrary amount of
memory on the server running saned even if the connection isn't dropped.
At the moment this can not easily be fixed according to the author.
Better limit the total amount of memory saned may use (ulimit).
|
| Alerts: |
|
Comments (none posted)
screen: privilege escalation
| Package(s): | screen |
CVE #(s): | CAN-2003-0972
|
| Created: | November 28, 2003 |
Updated: | March 3, 2004 |
| Description: |
According to
this advisory a buffer overflow in GNU screen allows privilege
escalation for local users. Usually screen is installed either setgid-utmp
or setuid-root.
It also has some potential for remote attacks or getting control of another
user's screen. The problem is that you have to transfer around 2-3 gigabytes
of data to user's screen to exploit this vulnerability. 4.0.1, 3.9.15 and
older versions are vulnerable. |
| Alerts: |
|
Comments (none posted)
slocate: buffer overflow
| Package(s): | slocate |
CVE #(s): | CAN-2003-0848
|
| Created: | January 20, 2004 |
Updated: | February 16, 2004 |
| Description: |
A vulnerability was discovered in slocate, a program to index and
search for files, whereby a specially crafted database could overflow
a heap-based buffer. This vulnerability could be exploited by a local
attacker to gain the privileges of the "slocate" group, which can
access the global database containing a list of pathnames of all files
on the system, including those which should only be visible to
privileged users. This problem, and a category of potential similar
problems, can be fixed by modifying slocate to drop privileges before
reading a user-supplied database. |
| Alerts: |
|
Comments (none posted)
File overwrite vulnerability in tar and unzip
| Package(s): | tar unzip |
CVE #(s): | CAN-2001-1267
CAN-2001-1268
CAN-2001-1269
CAN-2002-0399
|
| Created: | October 1, 2002 |
Updated: | April 10, 2006 |
| Description: |
The tar utility does not properly filter file names containing
"../", meaning that a hostile archive can, if unpacked by an
unsuspecting user, overwrite any file that is writable by that user. GNU
tar versions 1.13.19 and earlier are vulnerable; unzip through version 5.42
has the same vulnerability. |
| Alerts: |
|
Comments (1 posted)
tcpdump: flaws in the ISAKMP decoding routines
| Package(s): | tcpdump |
CVE #(s): | CAN-2003-0989
CAN-2004-0057
CAN-2004-0055
|
| Created: | January 15, 2004 |
Updated: | April 6, 2004 |
| Description: |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump
versions prior to 3.8.1. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue.
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding
routines of tcpdump versions up to and including 3.8.1. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0057 to this issue.
Jonathan Heusser discovered a flaw in the print_attr_string function in the
RADIUS decoding routines for tcpdump 3.8.1 and earlier. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name
CAN-2004-0055 to this issue.
Remote attackers could potentially exploit these issues by sending
carefully-crafted packets to a victim. If the victim uses tcpdump, these
packets could result in a denial of service, or possibly execute arbitrary
code as the 'pcap' user. |
| Alerts: |
|
Comments (none posted)
Multiple vendor telnetd vulnerability
| Package(s): | telnet Telnet netkit-telnet-ssl kerberos telnetd netkit-telnet nkitb/nkitserv/telnetd krb5 |
CVE #(s): | |
| Created: | May 21, 2002 |
Updated: | October 5, 2004 |
| Description: |
This vulnerability,
originally thought to be confined to BSD-derived systems, was first covered
in the July 26th Security
Summary. It is now known that Linux telnet daemons are vulnerable as
well.
|
| Alerts: |
|
Comments (none posted)
util-linux: information leak in the login program
| Package(s): | util-linux |
CVE #(s): | CAN-2004-0080
|
| Created: | February 3, 2004 |
Updated: | April 8, 2004 |
| Description: |
The util-linux package contains a large variety of low-level system
utilities that are necessary for a Linux system to function.
In some situations, the login program could use a pointer that had been
freed and reallocated. This could cause unintentional data leakage. |
| Alerts: |
|
Comments (1 posted)
XFree86: buffer overflow
| Package(s): | XFree86 |
CVE #(s): | CAN-2004-0083
CAN-2004-0084
CAN-2004-0106
|
| Created: | February 12, 2004 |
Updated: | February 23, 2004 |
| Description: |
The XFree86 code which reads "fonts.alias" files suffers from a buffer overflow which may be turned into a local root exploit; see this advisory for details. |
| Alerts: |
|
Comments (none posted)
Resources
Bruce Schneier's CRYPTO-GRAM newsletter for February is out; this issue
looks at security policies, ID requirements, spam solutions, and the
MyDoom worm. " I don't think the solution is to educate users. This is a case where
overall security is determined by the stupidest user. If 1,000 people
in your corporate network know enough not to click on the attachment
and only one does not, you're still infected."
Full Story (comments: 13)
Page editor: Jonathan Corbet
Next page: Kernel development>>
|
|
|