[ISN] Linux Advisory Watch - March 16th 2001 (fwd)

Dave Dittrich dittrich at cac.washington.edu
Sat Mar 17 08:26:56 PST 2001


---------- Forwarded message ----------
Date: Fri, 16 Mar 2001 10:14:27 -0500
Subject: [ISN] Linux Advisory Watch - March 16th 2001
From: vuln-newsletter-admins at linuxsecurity.com
To: ISN at SECURITYFOCUS.COM

+----------------------------------------------------------------+

| LinuxSecurity.com Linux Advisory Watch |

| March 16th, 2001 Volume 2, Number 11a |

+----------------------------------------------------------------+

Editors: Dave Wreski Benjamin Thomas
dave at linuxsecurity.com ben at linuxsecurity.com

Linux Advisory Watch is a comprehensive newsletter that outlines the
security vulnerabilities that have been announced throughout the
week. It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for imap, joe, gnuserv, zope,
mailx, icecast, cfengine, rwhod, interbase, slrn, Mesa, sudo,
sgml-tools, and mutt. The vendors include Caldera, Debian, Immunix,
FreeBSD, Mandrake, Red Hat, and Trustix.

* Guardian Digital Presents EnGarde Linux
EnGarde is the next generation in Linux security providing a complete
suite of e-business services, intrusion alert capabilities, improved
authentication and access control utilizing strong cryptography, and
complete SSL secure Web-based administration capabilities.

http://www.engardelinux.org/preannounce.html


HTML Version of Newsletter:
http://www.linuxsecurity.com/vuln-newsletter.html


+---------------------------------+

| Installing a new package: | ------------------------------//

+---------------------------------+

# rpm -Uvh
# dpkg -i

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager). Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.

+---------------------------------+

| Checking Package Integrity: | -----------------------------//

+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied. It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

# md5sum
ebf0d4a0d236453f63a797ea20f0758b

The string of numbers can then be compared against the MD5 checksum
published by the packager. While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing


+---------------------------------+

| Caldera | ----------------------------//

+---------------------------------+

* Caldera: buffer overflows in the 'imap' package
March 12th, 2001

There are several buffer overflows in imap, ipop2d and ipop3d. These
overflows usually only make it possible for local users to gain
access to a process running under their own UID.

imap-4.6.BETA-2.i386.rpm
ftp://ftp.calderasystems.com/pub/updates/
OpenLinux/2.3/current/RPMS/

Vendor Advisory:
http://www.linuxsecurity.com/advisories/caldera_advisory-1206.html


+---------------------------------+

| Debian | ----------------------------//

+---------------------------------+


* Debian: 'mailx' buffer overflow
March 13th, 2001

The mail program (a simple tool to read and send email) as
distributed with Debian GNU/Linux 2.2 has a buffer overflow in the
input parsing code. Since mail is installed setgid mail by default
this allowed local users to use it to gain access to mail group.

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/mailx_8.1.1-10.1.5_i386.deb
MD5 checksum: 18d30b35676fa9887a626c46909c9d9d

Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1212.html


* Debian: 'zope' update
March 9th, 2001

The issue involves the fact that the getRoles method of user objects
contained in the default UserFolder implementation returns a mutabe
Python type. Because the mutable object is still associated with the
persistent User object, users with the ability to edit DTML could
arrange to give themselves extra roles for the duration of a single
request by mutating the roles list as a part of the request
processing.

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/zope_2.1.6-7_i386.deb
MD5 checksum: 40d548dc5e6b8927baf59a6b0da7591c

Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1203.html


* Debian: 'gnuserv', 'xemacs21' vulnerabilities
March 9th, 2001

Gnuserv has a buffer for which insufficient boundary checks were
made. Unfortunately this buffer affected access control to gnuserv
which is using a MIT-MAGIC-COOCKIE based system. It is possible to
overflow the buffer containing the cookie and foozle cookie
comparison.

PLEASE SEE VENDOR ADVISORY FOR UPDATE
Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1202.html


* Debian: 'joe' vulnerability
March 9th, 2001

joe will look for a configuration file in three locations: the
current directory, the users homedirectory ($HOME) and in /etc/joe.
Since the configuration file can define commands joe will run (for
example to check spelling) reading it from the current directory can
be dangerous: an attacker can leave a .joerc file in a writable
directory, which would be read when a unsuspecting user starts joe in
that directory.

Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/main/
binary-i386/joe_2.8-15.3_i386.deb
MD5 checksum: 39f680f8fde72d0958431f617e774123

Vendor Advisory:
http://www.linuxsecurity.com/advisories/debian_advisory-1201.html



+---------------------------------+

| Immunix | ----------------------------//

+---------------------------------+

* Immunix: 'mutt' format string vulnerability & more
March 15th, 2001

Immunix 7.0 does not install the mutt package by default but provides
it in the extras/unsupported directory so it does not need to be
upgraded unless it has been installed manually by the system
administrator.

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
mutt-1.2.5i-8.6_StackGuard.i386.rpm
Vendor Advisory:


* Immunix: 'slrn' buffer overflow
March 15th, 2001

A buffer overflow in the slrn news reader has been reported by Bill
Nottingham. This buffer is created on the heap, so it is not
protected from overflows by the StackGuard compiler.

http://immunix.org/ImmunixOS/6.2/updates/RPMS/
slrn-0.9.6.4-0.6_StackGuard.i386.rpm

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1221.html


* Immunix: 'sgml-tools' vulnerabilities
March 15th, 2001

Previous versions of the sgml-tools package would create temporary
files without any special permissions in the /tmp directory. This
could allow any user to read files that were being created by any
other user.

Precompiled binary package for Immunix 6.2 is available at:
http://immunix.org/ImmunixOS/6.2/updates/RPMS/
sgml-tools-1.0.9-6.2_StackGuard.i386.rpm

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1222.html



+---------------------------------+

| FreeBSD | ----------------------------//

+---------------------------------+


* FreeBSD: 'interbase' ports vulnerability
March 13th, 2001

Remote users who can connect to the interbase database server can
obtain full access to all databases using a backdoor account built
into the server itself. This account cannot be disabled.

PLEASE SEE VENDOR ADVISORY

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1211.html


* FreeBSD: 'icecast' ports vulnerability
March 13th, 2001

Arbitrary remote users can execute arbitrary code on the local system
as the user running icecast, usually the root user. If you have not
chosen to install the icecast port/package, then your system is not
vulnerable to this problem.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/audio/icecast-1.3.7_1.tgz

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1207.html


* FreeBSD: 'cfengine' ports vulnerability
March 13th, 2001

Arbitrary remote users can execute code on the local system as the
user running cfengine, usually user root. If you have not chosen to
install the cfengine port/package, then your system is not vulnerable
to this problem.

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/
packages-5-current/sysutils/cfengine-1.6.3.tar.gz

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1208.html


* FreeBSD: 'rwhod' DoS
March 13th, 2001

Malformed packets sent to the rwhod daemon could cause it to crash,
thereby denying service to clients if rwhod is not run under a
watchdog process which causes it to automatically restart in the
event of a failure. The rwhod daemon is not run in this way in the
default invocation from /etc/rc.conf using the rwhod_enable variable.

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch

Vendor Advisory:
http://www.linuxsecurity.com/advisories/freebsd_advisory-1210.html


+---------------------------------+

| Mandrake | ----------------------------//

+---------------------------------+

* Mandrake: 'sgml-tools' vulnerabilities
March 15th, 2001

A buffer overflow exists in versions of the slrn news reader prior to
0.9.6.3pl4 as reported by Bill Nottingham. This problem exists in the
wrapping/unwrapping functions and a long header in a message might
overflow a buffer which could result in execution of arbitrary code
encoded in the message.

7.2/RPMS/sgml-tools-1.0.9-8.1mdk.i586.rpm
c5e48714e3da71f692e447eb942a368b

http://www.linux-mandrake.com/en/ftp.php3

Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1219.html


* Mandrake: 'Mesa' vulnerability
March 14th, 2001

Ben Collins identified a temporary file race in the Utah-glx
component of the Mesa package which affects Linux-Mandrake 7.2. The
/tmp/glxmemory file is created by Utah-glx and because it is not
created securely could be used in a symlink attack which allows files
to be overwritten the next time the X server is started.

http://www.linux-mandrake.com/en/ftp.php3
7.2/RPMS/Mesa-3.3-14.1mdk.i586.rpm
d75f85f30af6c8fb57938b76323067ce

7.2/RPMS/Mesa-common-3.3-14.1mdk.i586.rpm
1a8bddaf0f26c5d1caa5c3af44d1c108

7.2/RPMS/Mesa-common-devel-3.3-14.1mdk.i586.rpm
ffd886a66f866faaf9ae0b7402644cde

7.2/RPMS/Mesa-demos-3.3-14.1mdk.i586.rpm
c9f32276cd54d8772c31afba619bf856

Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1214.html



* Mandrake: 'sudo' buffer overflow
March 14th, 2001

A buffer overflow exists in the sudo program which could be used by
an attacker to obtain higher privileges. sudo is a program used to
delegate superuser privileges to ordinary users and only for specific
commands.

http://www.linux-mandrake.com/en/ftp.php3
7.2/RPMS/sudo-1.6.3p6-1.1mdk.i586.rpm
fe583824271ac2a5af6dd533027e8794

Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1215.html


* Mandrake: 'slrn' buffer overflow
March 9th, 2001

A buffer overflow exists in versions of the slrn news reader prior to
0.9.6.3pl4 as reported by Bill Nottingham. This problem exists in the
wrapping/unwrapping functions and a long header in a message might
overflow a buffer which could result in execution of arbitrary code
encoded in the message.

PLEASE SEE VENDOR ADVISORY

Vendor Advisory:
http://www.linuxsecurity.com/advisories/mandrake_advisory-1205.html



+---------------------------------+

| Red Hat | ----------------------------//

+---------------------------------+


* Red Hat: 'mutt' format string vulnerability
March 15th, 2001

It is recommended that all mutt users using Red Hat Linux upgrade to
the new packages. The version of mutt shipped in Red Hat Linux 7.0
does not contain the format string vulnerability; it is merely a
bugfix update.

7.0 i386:
ftp://updates.redhat.com/7.0/i386/mutt-1.2.5i-8.7.i386.rpm
0d528824313b49c60a21a513e1056067

6.2 i386:
ftp://updates.redhat.com/6.2/i386/mutt-1.2.5i-8.6.i386.rpm
362d9fcec4018f1c59ef43be0a276807

Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1217.html



* Red Hat: 'sgml-tools' vulnerability
March 15th, 2001

Temporary files were created without any special permissions, and so
in most cases would be world-readable. The fixed packages create a
secure temporary directory first (readable only by the owner), and
then create temporary files inside that.

6.2 i386:
ftp://updates.redhat.com/7.0/i386/sgml-tools-1.0.9-9.i386.rpm
16a855840b74f58d41c4774a7dcc7cff

7.0 i386:
ftp://updates.redhat.com/6.2/i386/sgml-tools-1.0.9-6.2.i386.rpm
9e6a04a8e0b6e18f33c58fb7c02937b2

Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1218.html



* Red Hat: 'slrn' overflow
March 14th, 2001

An overflow exists in the slrn pacakge as shipped in Red Hat Linux 7
and Red Hat Linux 6.x, which could possibly lead to remote users
executing arbitrary code as the user running slrn.

i386:
ftp://updates.redhat.com/7.0/i386/slrn-0.9.6.4-0.7.i386.rpm
dd601a7324b5589326a5d92d3d2ee27f

ftp://updates.redhat.com/7.0/i386/slrn-pull-0.9.6.4-0.7.i386.rpm
d49c0b47e967bd9abdb7fec655b8e3ff

Vendor Advisory:
http://www.linuxsecurity.com/advisories/redhat_advisory-1216.html



+---------------------------------+

| Trustix | ----------------------------//

+---------------------------------+

Trustix: 'sudo' buffer overflow - 3/14/2001

Trustix today released an updated version of the sudo package
fixing a buffer overflow, as announced by the sudo maintainer
Todd C. Miller.

sudo-1.6.3p6-1tr.i586.rpm
cc969c9746bea3ff01470c1eaf3ee415
ftp://ftp.trustix.net/pub/Trustix/updates/

Vendor Advisory:
http://www.linuxsecurity.com/advisories/other_advisory-1213.html



------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc. LinuxSecurity.com

To unsubscribe email vuln-newsletter-request at linuxsecurity.com
with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV at SecurityFocus.com with a message body of
"SIGNOFF ISN".




More information about the Linux mailing list