Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Linux Advisory Watch, September 1st, 2000

From: vuln-newsletter-admins () linuxsecurity com
Date: Fri, 1 Sep 2000 14:59:26 -0400
+----------------------------------------------------------------+
|  LinuxSecurity.com                      Linux Advisory Watch   |
|  September 1st, 2000                     Volume 1, Number 18a  |
+----------------------------------------------------------------+

  Editors:     Dave Wreski                  Benjamin Thomas
               dave () linuxsecurity com       ben () linuxsecurity com

Welcome to Linux Advisory Watch.  This newsletter is derived from our
existing publication, 'Linux Security Week.'  We have decided to break
the newsletter up into two separate sections (News and Advisories)
because advisories require special attention.  The security of one's
system depends on diligence in upgrading packages. The Advisories
portion will be sent on Fridays and the News section will continue be
distributed Mondays. We chose to take this action to improve readability
and reduce excess information.

 ###

Linux Advisory Watch is a comprehensive newsletter that outlines
the security vulnerabilities that have been announced throughout the
week.  It includes pointers to updated packages and descriptions of
each vulnerability.

This week, advisories were released for xpdf, glibc, xchat, netscape,
ntop, mgetty, go-gnome, and usermode.  The advisories released
were from Mandrake, TurboLinux, Debian, Conectiva, Red Hat, and
Caldera.  If you use any of these packages or distributions, update
these packages immediately.

This was quite a busy week for FreeBSD.  They released advisories for
the esound, mopd, netscape, xlockmore, and brouted packages. A local
DOS and Linux binary compatibility vulnerability were also outlined.


+---------------------------------+
|   Installing a new package:     | ----------------------------//
+---------------------------------+

   # rpm  -Uvh <package-name.rpm>
   # dpkg -i   <package-name.deb>

Packages can be installed easily by using rpm (Red Hat Package
Manager) or dpkg (Debian Package Manager).  Most advisories
issued by vendors are packaged in either an rpm or dpkg.
Additional installation instructions can be found in the body
of the advisory.

+---------------------------------+
|   Checking Package Integrity:   | -----------------------------//
+---------------------------------+

The md5sum command is used to compute a 128-bit fingerprint that is
strongly dependant upon the contents of the file to which it is
applied.  It can be used to compare against a previously-generated
sum to determine whether the file has changed.  It is commonly used
to ensure the integrity of updated packages distributed by a vendor.

  # md5sum <package-name>
    ebf0d4a0d236453f63a797ea20f0758b   <package-name>

The string of numbers can then be compared against the MD5 checksum
published by the packager.  While it does not take into account the
possibility that the same person that may have modified a package
also may have modified the published checksum, it is especially
useful for establishing a great deal of assurance in the integrity
of a package before installing it.


+---------------------------------+
|   Mandrake Advisories           |
+---------------------------------+


* Mandrake: xpdf vulnerability

There is a potential race condation when using tmpnam() and fopen() in
xpdf versions prior to 0.91.  This exploit can be only used as root to
overwrite arbitrary files if a symlink is created between the calls to
tmpname() and fopen().

http://www.linuxsecurity.com/advisories/mandrake_advisory-670.html


* Mandrake: glibc vulnerability

A bug was discovered in ld.so that could allow local users to obtain
root privileges.  The dynamic loader, ld.so, is responsible for making
shared libraries available within a program at run-time.  Normally, a
user is allowed to load additional shared libraries when executing a
program; they can be specified with environment variables such as
LD_PRELOAD.

http://www.linuxsecurity.com/advisories/mandrake_advisory-667.html


* Mandrake: xchat vulnerability

To open the URL in a browser, XChat passes the command to /bin/sh.
This allows a malicious URL the ability to execute arbitrary shell
commands as the user that is running XChat.

http://www.linuxsecurity.com/advisories/mandrake_advisory-669.html


+---------------------------------+
|   TurboLinux Advisory           |
+---------------------------------+


* TurboLinux: 'netscape' vulnerability

It is possible for the browser to act as a web server for the client's
entire machine and can also allow access into the client machine via a
buffer overrun condition.

http://www.linuxsecurity.com/advisories/turbolinux_advisory-677.html


+---------------------------------+
|   Debian Advisories             |
+---------------------------------+


* Debian: Updated 'xchat' packages available.

The version of X-Chat that was distributed with Debian GNU/Linux 2.2
has a vulnerability in the URL handling code: when a user clicks on
a URL X-Chat will start netscape to view its target. However it
did not check the URL for shell metacharacters, and this could be
abused to trick xchat into executing arbitraty commands.

http://www.linuxsecurity.com/advisories/debian_advisory-671.html


* Debian: UPDATE: ntop remote exploit vulnerability

The updated version of ntop (1.2a7-10) that was released on August 5
was found to still be insecure: it was still exploitable using buffer
overflows. Using this technique it was possible to run arbitrary code
as the user who ran ntop in web mode.

http://www.linuxsecurity.com/advisories/debian_advisory-668.html


+---------------------------------+
|   Conectiva Advisory            |
+---------------------------------+


* Conectiva: 'mgetty' vulnerability.

Versions prior to 1.1.22 have a vulnerability which could lead to
mgetty overwriting any file in the system via a symlink attack.

http://www.linuxsecurity.com/advisories/other_advisory-674.html



+---------------------------------+
|   Helix GNOME Advisory          |
+---------------------------------+


* Helix GNOME: 'go-gnome' vulnerability

A vulnerability in the go-gnome pre-installer allows non-root
users to exploitworld-writable permissions in /tmp, permitting
files normally only accessible by root to be overwritten.

http://www.linuxsecurity.com/advisories/other_advisory-675.html



+---------------------------------+
|   RedHat Advisory               |
+---------------------------------+


* RedHat: Updated 'usermode' packages available

The usermode package allows unprivileged users logged in at the system
console to run the halt, poweroff, reboot, and shutdown commands
without using the superuser's password.  The halt, poweroff, and reboot
abilities are useful, but an unprivileged user can also bring the
system to single-user mode by running "shutdown now" with no additional
flags.  This update removes the "shutdown" command from the list of
commands unprivileged users can run.

http://www.linuxsecurity.com/advisories/redhat_advisory-673.html


+---------------------------------+
|   Caldera Advisory              |
+---------------------------------+


*  Caldera: /tmp file race in faxrunq

The mgetty package contains a number of tools for sending an receiving
facsimiles. One of the tools, faxrunq, ses a marker file in a world
writable directory in an unsecure fashion. This bug allows malicious
users to clobber files on the system owned by the user invoking faxrunq.

http://www.linuxsecurity.com/advisories/caldera_advisory-672.html



+---------------------------------+
|   FreeBSD Advisories            |
+---------------------------------+


* FreeBSD: 'esound' vulnerability.

Local users can cause files or directories owned by the target user
to become world-writable when that user runs the esd daemon (e.g. by
starting a GNOME session), allowing a security breach of that user
account (or the entire system if esd is run by root) If you have not
chosen to install the esound port/package, then your system is not
vulnerable to this problem.

http://www.linuxsecurity.com/advisories/freebsd_advisory-676.html


* FreeBSD: Malformed ELF image vulnerability

Local users can cause the system to lock up for an extended period of
time (15 minutes or more, depending on CPU speed), during which time
the system is completely unresponsive to local and remote users.

http://www.linuxsecurity.com/advisories/freebsd_advisory-666.html


* FreeBSD: Linux binary compatibility vulnerability

Filenames in this shadow hierarchy are treated incorrectly by the
linux kernel module under certain circumstances, and a kernel stack
overflow leading to a system compromise by an unprivileged user may be
possible when very long filenames are used. This is only possible when
the linux kernel module is loaded, or the equivalent functionality is
statically compiled into the kernel. It is not enabled by default.

http://www.linuxsecurity.com/advisories/freebsd_advisory-662.html


* FreeBSD: Local DoS vulnerability

Local users can cause the system to lock up for an extended period of
time (15 minutes or more, depending on CPU speed), during which time
the system is completely unresponsive to local and remote users.

http://www.linuxsecurity.com/advisories/freebsd_advisory-663.html


* FreeBSD: Netscape vulnerabilities

Remote users can read files on the local system accessible to the user
running netscape, if java is enabled, and may be able to execute
arbitrary code on the local system as that user. If you have not chosen
to install a netscape port/package, then your system is not vulnerable
to this problem.

http://www.linuxsecurity.com/advisories/freebsd_advisory-665.html


* FreeBSD: mopd remote root compromise

The mopd port contains several remotely exploitable vulnerabilities.
An attacker exploiting these can execute arbitrary code on the local
machine as root.  The mopd port is not installed by default, nor is
it "part of FreeBSD" as such: it is part of the FreeBSD ports
collection, which contains over 3700 third-party applications in a
ready-to-install format. The ports collections shipped with FreeBSD
3.5-RELEASE and 4.1-RELEASE contain this problem, since it was
discovered after the releases.

http://www.linuxsecurity.com/advisories/freebsd_advisory-664.html


* FreeBSD: xlockmore vulnerability

Unprivileged local users may be able to gain unauthorised access to
parts of the /etc/spwd.db file, allowing them to mount guessing
attacks against user passwords. If you have not chosen to install
the xlockmore port/package, then your system is not vulnerable to
this problem.

http://www.linuxsecurity.com/advisories/freebsd_advisory-660.html


* FreeBSD: brouted vulnerability

Unprivileged local users can obtain group kmem privileges, and upgrade
further to full root privileges. If you have not chosen to install the
brouted port/package, then your system is not vulnerable to this
problem.

http://www.linuxsecurity.com/advisories/freebsd_advisory-661.html
------------------------------------------------------------------------
Distributed by: Guardian Digital, Inc.                LinuxSecurity.com

     To unsubscribe email vuln-newsletter-request () linuxsecurity com
         with "unsubscribe" in the subject of the message.
------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: