Gentoo Archives: gentoo-announce

From: Dan Margolis <krispykringle@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××.com, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200409-15 ] Webmin, Usermin: Multiple vulnerabilities in Usermin
Date: Sun, 12 Sep 2004 19:51:17
Message-Id: 4144A801.1040108@gentoo.org
1 -----BEGIN PGP SIGNED MESSAGE-----
2 Hash: SHA1
3
4 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
5 Gentoo Linux Security Advisory GLSA 200409-15
6 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
7 http://security.gentoo.org/
8 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
9
10 Severity: Normal
11 Title: Webmin, Usermin: Multiple vulnerabilities in Usermin
12 Date: September 12, 2004
13 Bugs: #63167
14 ID: 200409-15
15
16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
17
18 Synopsis
19 ========
20
21 A vulnerability in the webmail function of Usermin could be used by an
22 attacker to execute shell code via a specially-crafted e-mail. A bug
23 in the installation script of Webmin and Usermin also allows a local
24 user to execute a symlink attack at installation time.
25
26 Background
27 ==========
28
29 Webmin and Usermin are web-based system administration consoles. Webmin
30 allows an administrator to easily configure servers and other features.
31 Usermin allows users to configure their own accounts, execute commands,
32 and read e-mail. The Usermin functionality, including webmail, is also
33 included in Webmin.
34
35 Affected packages
36 =================
37
38 -------------------------------------------------------------------
39 Package / Vulnerable / Unaffected
40 -------------------------------------------------------------------
41 1 app-admin/usermin < 1.090 >= 1.090
42 2 app-admin/webmin < 1.160 >= 1.160
43 -------------------------------------------------------------------
44 2 affected packages on all of their supported architectures.
45 -------------------------------------------------------------------
46
47 Description
48 ===========
49
50 There is an input validation bug in the webmail feature of Usermin.
51
52 Additionally, the Webmin and Usermin installation scripts write to
53 /tmp/.webmin without properly checking if it exists first.
54
55 Impact
56 ======
57
58 The first vulnerability allows a remote attacker to inject arbitrary
59 shell code in a specially-crafted e-mail. This could lead to remote
60 code execution with the privileges of the user running Webmin or
61 Usermin.
62
63 The second could allow local users who know Webmin or Usermin is going
64 to be installed to have arbitrary files be overwritten by creating a
65 symlink by the name /tmp/.webmin that points to some target file, e.g.
66 /etc/passwd.
67
68 Workaround
69 ==========
70
71 There is no known workaround at this time.
72
73 Resolution
74 ==========
75
76 All Usermin users should upgrade to the latest version:
77
78 # emerge sync
79
80 # emerge -pv ">=app-admin/usermin-1.090"
81 # emerge ">=app-admin/usermin-1.090"
82
83 All Webmin users should upgrade to the latest version:
84
85 # emerge sync
86
87 # emerge -pv ">=app-admin/webmin-1.160"
88 # emerge ">=app-admin/webmin-1.160"
89
90 References
91 ==========
92
93 [ 1 ] Secunia Advisory SA12488
94 http://secunia.com/advisories/12488/
95 [ 2 ] Usermin Changelog
96 http://www.webmin.com/uchanges.html
97
98 Availability
99 ============
100
101 This GLSA and any updates to it are available for viewing at
102 the Gentoo Security Website:
103
104 http://security.gentoo.org/glsa/glsa-200409-15.xml
105
106 Concerns?
107 =========
108
109 Security is a primary focus of Gentoo Linux and ensuring the
110 confidentiality and security of our users machines is of utmost
111 importance to us. Any security concerns should be addressed to
112 security@g.o or alternatively, you may file a bug at
113 http://bugs.gentoo.org.
114
115 License
116 =======
117
118 Copyright 2004 Gentoo Foundation, Inc; referenced text
119 belongs to its owner(s).
120
121 The contents of this document are licensed under the
122 Creative Commons - Attribution / Share Alike license.
123
124 http://creativecommons.org/licenses/by-sa/1.0
125 -----BEGIN PGP SIGNATURE-----
126 Version: GnuPG v1.2.4 (GNU/Linux)
127 Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
128
129 iQEVAwUBQUSoAbDO2aFJ9pv2AQIrDggAuEDR9uz2KNl/7Z0a+kn/wZ0eaf4/gmsS
130 RG6539CXmk9m4HIyz204duru9Qp8LTAhBabOvf4VyofWNtKEhF+Ide5w++4rBkKE
131 mEeD4fCOEr4TUMjVx8qSXjbGSSzGYCREB2PwnHm+G8k3RFaqgtEPmusBr0Kh0WWh
132 UwKGGIuHU5m8LuT1kq7frGDy7zZzbPtOPqp3vkSDsaIQhJckk6cIUlo/qezwrBtg
133 t9oZ8qm1cILR0n+y9IxbBVdZLRwhHoLpBrBI/spJOT2+J7Szl/RRyn78eFtAqjVx
134 G9Ng8RO36Q/JBMdrzNx/zwTEsLTRNi1nkpMFrOMyBNzjTIhZBlZ+Bg==
135 =wprj
136 -----END PGP SIGNATURE-----