Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Advisory Watch, October 6th 2000

From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 6 Oct 2000 13:36:02 -0400
+----------------------------------------------------------------+
|  LinuxSecurity.com                      Linux  Advisory Watch  |
|  October 6th, 2000                       Volume 1, Number 23a  |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                  Benjamin Thomas
               dave () linuxsecurity com       ben () linuxsecurity com


Linux Advisory Watch is a comprehensive newsletter that outlines
the security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for lpr, LPRng, libutil, gnorpm,
traceroute, and xinitrc.  The vendors include Conectiva, Immunix,
Mandrake, OpenBSD, and RedHat. It is critical that you update all
vulnerable packages.

One of the more serious advisories released this week is lpr.  There
is a format string bug in lpd that could potentially be exploited to
gain local root access.  There is also a bug in traceroute that could
result as a local root compromise.

HTML Version:
http://www.linuxsecurity.com/vuln-newsletter.html

-- OpenDoc Publishing ------------------------------------------//

Our sponsor this week is OpenDoc Publishing.  Their 480-page
comprehensive security book, Securing and Optimizing Linux, takes a
hands-on approach to installing, optimizing, configuring, and
securing Red Hat Linux. Topics include sendmail 8.10.1, OpenSSL,
ApacheSSL, OpenSSH and much more! Includes Red Hat 6.2 and Red Hat
6.2 PowerTools edition.

http://www.linuxsecurity.com/sponsors/opendocs.html


+---------------------------------+
|   Installing a new package:   | ----------------------------//
+---------------------------------+

   # rpm  -Uvh
   # dpkg -i

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager).  Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the Advisories.

+---------------------------------+
|   Checking Package Integrity:   | -----------------------------//
+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied.  It can be used to compare against a previously-generated
sum to determine whether the file has changed. It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

  # md5sum
    ebf0d4a0d236453f63a797ea20f0758b

The string of numbers can then be compared against the MD5 checksum
published by the packager.  While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing it.



+---------------------------------+
|        Conectiva Advisory       | ----------------------------//
+---------------------------------+


* Conectiva:  'lpr' vulnerability
October 5th, 2000

There is a format bug in lpd in a syslog() call that could be used to
obtain root access. The exploit would have to successfully inject
format strings in a hostname to cause damage.

  Updated Package: lpr-0.50-6cl

  ftp://atualizacoes.conectiva.com.br/4.0/i386/lpr-0.50-6cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.0es/i386/lpr-0.50-6cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.1/i386/lpr-0.50-6cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/4.2/i386/lpr-0.50-6cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/5.0/i386/lpr-0.50-6cl.i386.rpm
  ftp://atualizacoes.conectiva.com.br/5.1/i386/lpr-0.50-6cl.i386.rpm

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/other_advisory-757.html



* Conectiva:  'gnorpm' vulnerability
October 3rd, 2000

Gnorpm versions prior to 0.95 use files in the /tmp dir in an
insecure manner. If gnorpm is run as root, this vulnerability could
lead to any file on the system being overwritten by gnorpm.

  Updated Package: gnorpm-0.95.1-1cl

  ftp://atualizacoes.conectiva.com.br/5.1/RPMS/

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/other_advisory-751.html



* Conectiva:  'traceroute' local root exploit
September 30th, 2000

Previous releases of traceroute contained some problems that could be
exploited to gain local root access. All users should upgrade the
traceroute package.

  Updated Pacakge: traceroute-1.4a7-2cl

  ftp://atualizacoes.conectiva.com.br/5.1/i386/
  ftp://atualizacoes.conectiva.com.br/5.0/i386/

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/caldera_advisory-747.html


+---------------------------------+
|         GnoRPM  Advisory        | ----------------------------//
+---------------------------------+


* GnoRPM Vulnerability
October 2nd, 2000

While fixing other problems with the gnorpm package a locally
exploitable security hole was found where a normal user could trick
root running GnoRPM into writing to arbitary files due to a bug in
the gnorpm tmp file handling.

  Updated Package: gnorpm-0.95.1.tar.gz

  ftp://ftp.linux.org.uk:/pub/linux/alan/GNORPM/gnorpm-0.95.1.tar.gz
  80521433f88fa09899e9105a24c69ef9

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/other_advisory-750.html



+---------------------------------+
|         Immunix Advisory        | ----------------------------//
+---------------------------------+

* Immunix:  'lpr' vulnerability
October 4th, 2000

Packages have been built for Immunix OS 6.2 (StackGuarded versions of
the RedHat packages.)

  Updated Package: lpr-0.50-7_StackGuard.i386.rpm

  http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/
  5f08dd8fadc05e71bbdafad6b2744dc8


  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/other_advisory-755.html



+---------------------------------+
|       Mandrake Advisories       | ----------------------------//
+---------------------------------+

* Mandrake:  'lpr' vulnerability
October 5th, 2000

There is a format string bug in lpr with its calls to the syslog
facility. There are no known exploits at ths time, but it may be
possible for a user to gain local root access. This new lpr fixes
this problem.

Updated Package: lpr-0.50-3mdk

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
  d19963294f539c64a4e852fb3f1f8c89

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
  128b012e397473163c1e2c1ed4b78806

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
  0ce870aa142c3482bdd0ad7b72a422c1

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
  6d82c047a905fea7edecc9bed347eae0

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-756.html


* Mandrake:  'traceroute' vulnerability
October 2nd, 2000

There is a bug in the traceroute program which causes segfaults and
which could potentially be exploited to provide root privilege
because the traceroute command is suid root. There are no known
exploits currently, but users are encouraged to upgrade.

  Updated Package: traceroute-1.4a5-12mdk

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.0/RPMS/
  1a4fa31d17673a14a19cc314109fea6f

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/6.1/RPMS/
  ff46d392fa729585f04ac4e00e9c55aa

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
  016b778a737cc26eab3b6c59757e135c

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
  956f739b513e353683f7a923ea716d06

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-749.html



* Mandrake: 'xinitrc' vulnerability
October 2nd, 2000

A problem exists in the /etc/X11/Xsession file which disables the
Xauthority mechanism of the localhost. This means that anyone logged
into the localhost can arbitrarily connect to an X server running on
the localhost. This is only a problem with systems that allow remote
logins and is not a problem on systems that do not support remote
logins or multiple users.

  Updated Package: xinitrc-2.4.4-11mdk

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.0/RPMS/
  9b93ae07b177ec62a2a3110924060bb4

  ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates/7.1/RPMS/
  8984bca66a1cf8f178125435cc8c786d

  Vendory Advisory:
  http://www.linuxsecurity.com/advisories/mandrake_advisory-748.html


+---------------------------------+
|       OpenBSD Advisory          | ----------------------------//
+---------------------------------+


* OpenBSD: libutil format string vulnerability
October 4th, 2000

A format string vulnerability present in the pw_error() function of
OpenBSD 2.7's libutil library can yield localhost users root access
through the setuid /usr/bin/chpass utility. This particular
vulnerability was repaired three months ago on June 30th in
OpenBSD-current during a complete source tree audit for format string
problems.

  * Patch available in vendor advisory.

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/openbsd_advisory-752.html


+---------------------------------+
|       Red Hat Advisories        | ----------------------------//
+---------------------------------+


* Redhat:  'LPRng' vulnerability
October 4th, 2000

LPRng has a string format bug in the use_syslog function. This
function returns user input in a string that is passed to the
syslog() function as the format string. It is possible to corrupt the
print daemon's execution with unexpected format specifiers, thus
gaining root access to the computer. The vulnerability is
theoretically exploitable both locally and remotely.

  Updated Package: LPRng-3.6.24-2

  ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm
  05251e71ae5f2d2fdbc6611eea6f8651

  http://www.linuxsecurity.com/advisories/redhat_advisory-753.html



* Redhat:  'lpr' vulnerability
October 4th, 2000

lpr has a format string security bug. It also mishandles any
extension to the lpd communication protocol, and assumes that the
instructions contained in the extension are a file it should try to
print. It also has a race condition in the handling of queue
interactions that can cause the queue to wedge.

  Updated Package: lpr-0.50-7


  ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm
  ed03f53623add36f3b6da694c49c89c2

  ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm
  cc2da623757572ed07ab4d88c57422ae

  ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm
  bf72425f9ddb0f8d9e2643fbea360f23

--

  ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm
  eaade33acd33346611b7171c2dd7ea03

  ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm
  81a48e5d2d91d54d4ea8a4f9c89d5a41


  ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm
  542a70425ac1b75fb78880fc08f01986

  Vendor Advisory:
  http://www.linuxsecurity.com/advisories/redhat_advisory-754.html


------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: