[gentoo-announce] [ GLSA 200404-19 ] Buffer overflows and format string - gentoo-announce

From:	"Joshua J. Berry" <condordes@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 200404-19 ] Buffer overflows and format string
Date:	Tue, 27 Apr 2004 05:22:04
Message-Id:	`E1BIL0m-00034G-FK@smtp.gentoo.org`

1

vulnerabilities in LCDproc

2

Date: Mon, 26 Apr 2004 22:19:53 -0700

3

User-Agent: KMail/1.6.1

4

Cc: bugtraq@×××××××××××××.com,

5

 full-disclosure@××××××××××××.com,

6

 security-alerts@×××××××××××××.com,

7

 gentoo-core@g.o

8

MIME-Version: 1.0

9

X-KMail-Identity: 422776557

10

Content-Type: multipart/signed;

11

  protocol="application/pgp-signature";

12

  micalg=pgp-sha1;

13

  boundary="Boundary-02=_/1ejAdIdlhzyUYy";

14

  charset="us-ascii"

15

Content-Transfer-Encoding: 7bit

16

Message-Id: <200404262219.59698.condordes@g.o>

17

Status: R

18

X-Status: NQ

19

X-KMail-EncryptionState:  

20

X-KMail-SignatureState:  

21

X-KMail-MDN-Sent:  

22

23

24

--Boundary-02=_/1ejAdIdlhzyUYy

25

Content-Type: text/plain;

26

  charset="us-ascii"

27

Content-Transfer-Encoding: 7bit

28

Content-Disposition: inline

29

30

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

31

Gentoo Linux Security Advisory                           GLSA 200404-19

32

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

33

                                            http://security.gentoo.org/

34

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

35

36

  Severity: Normal

37

     Title: Buffer overflows and format string vulnerabilities in

38

            LCDproc

39

      Date: April 27, 2004

40

      Bugs: #47340

41

        ID: 200404-19

42

43

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

44

45

Synopsis

46

========

47

48

Multiple remote vulnerabilities have been found in the LCDd server,

49

allowing execution of arbitrary code with the rights of the LCDd user.

50

51

Background

52

==========

53

54

LCDproc is a program that displays various bits of real-time system

55

information on an LCD. It makes use of a local server (LCDd) to collect

56

information to display on the LCD.

57

58

Affected packages

59

=================

60

61

    -------------------------------------------------------------------

62

     Package           /    Vulnerable    /                  Unaffected

63

    -------------------------------------------------------------------

64

  1  app-misc/lcdproc       <= 0.4.4-r1                        >= 0.4.5

65

66

Description

67

===========

68

69

Due to insufficient checking of client-supplied data, the LCDd server

70

is susceptible to two buffer overflows and one string buffer

71

vulnerability. If the server is configured to listen on all network

72

interfaces (see the Bind parameter in LCDproc configuration), these

73

vulnerabilities can be triggered remotely.

74

75

Impact

76

======

77

78

These vulnerabilities allow an attacker to execute code with the rights

79

of the user running the LCDproc server. By default, this is the

80

"nobody" user.

81

82

Workaround

83

==========

84

85

A workaround is not currently known for this issue. All users are

86

advised to upgrade to the latest version of the affected package.

87

88

Resolution

89

==========

90

91

LCDproc users should upgrade to version 0.4.5 or later:

92

93

    # emerge sync

94

95

    # emerge -pv ">=app-misc/lcdproc-0.4.5"

96

    # emerge ">=app-misc/lcdproc-0.4.5"

97

98

References

99

==========

100

101

  [ 1 ] LCDproc advisory

102

        http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html

103

104

Availability

105

============

106

107

This GLSA and any updates to it are available for viewing at

108

the Gentoo Security Website:

109

110

     http://security.gentoo.org/glsa/glsa-200404-19.xml

111

112

Concerns?

113

=========

114

115

Security is a primary focus of Gentoo Linux and ensuring the

116

confidentiality and security of our users machines is of utmost

117

importance to us. Any security concerns should be addressed to

118

security@g.o or alternatively, you may file a bug at

119

http://bugs.gentoo.org.

120

121

License

122

=======

123

124

Copyright 2004 Gentoo Technologies, Inc; referenced text

125

belongs to its owner(s).

126

127

The contents of this document are licensed under the

128

Creative Commons - Attribution / Share Alike license.

129

130

http://creativecommons.org/licenses/by-sa/1.0

131

132

--Boundary-02=_/1ejAdIdlhzyUYy

133

Content-Type: application/pgp-signature

134

Content-Description: signature

135

136

-----BEGIN PGP SIGNATURE-----

137

Version: GnuPG v1.2.4 (GNU/Linux)

138

139

iD4DBQBAje1/aIxeYlQMsxsRAt7hAJjgszRcKkPiY4mQcxAO5meO7WR3AJ0TBk3e

140

Ib4JhXTrQiYGZxur5I+M2w==

141

=NhzA

142

-----END PGP SIGNATURE-----

143

144

--Boundary-02=_/1ejAdIdlhzyUYy--

1	vulnerabilities in LCDproc
2	Date: Mon, 26 Apr 2004 22:19:53 -0700
3	User-Agent: KMail/1.6.1
4	Cc: bugtraq@×××××××××××××.com,
5	full-disclosure@××××××××××××.com,
6	security-alerts@×××××××××××××.com,
7	gentoo-core@g.o
8	MIME-Version: 1.0
9	X-KMail-Identity: 422776557
10	Content-Type: multipart/signed;
11	protocol="application/pgp-signature";
12	micalg=pgp-sha1;
13	boundary="Boundary-02=_/1ejAdIdlhzyUYy";
14	charset="us-ascii"
15	Content-Transfer-Encoding: 7bit
16	Message-Id: <200404262219.59698.condordes@g.o>
17	Status: R
18	X-Status: NQ
19	X-KMail-EncryptionState:
20	X-KMail-SignatureState:
21	X-KMail-MDN-Sent:
22
23
24	--Boundary-02=_/1ejAdIdlhzyUYy
25	Content-Type: text/plain;
26	charset="us-ascii"
27	Content-Transfer-Encoding: 7bit
28	Content-Disposition: inline
29
30	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
31	Gentoo Linux Security Advisory GLSA 200404-19
32	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
33	http://security.gentoo.org/
34	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
35
36	Severity: Normal
37	Title: Buffer overflows and format string vulnerabilities in
38	LCDproc
39	Date: April 27, 2004
40	Bugs: #47340
41	ID: 200404-19
42
43	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
44
45	Synopsis
46	========
47
48	Multiple remote vulnerabilities have been found in the LCDd server,
49	allowing execution of arbitrary code with the rights of the LCDd user.
50
51	Background
52	==========
53
54	LCDproc is a program that displays various bits of real-time system
55	information on an LCD. It makes use of a local server (LCDd) to collect
56	information to display on the LCD.
57
58	Affected packages
59	=================
60
61	-------------------------------------------------------------------
62	Package / Vulnerable / Unaffected
63	-------------------------------------------------------------------
64	1 app-misc/lcdproc <= 0.4.4-r1 >= 0.4.5
65
66	Description
67	===========
68
69	Due to insufficient checking of client-supplied data, the LCDd server
70	is susceptible to two buffer overflows and one string buffer
71	vulnerability. If the server is configured to listen on all network
72	interfaces (see the Bind parameter in LCDproc configuration), these
73	vulnerabilities can be triggered remotely.
74
75	Impact
76	======
77
78	These vulnerabilities allow an attacker to execute code with the rights
79	of the user running the LCDproc server. By default, this is the
80	"nobody" user.
81
82	Workaround
83	==========
84
85	A workaround is not currently known for this issue. All users are
86	advised to upgrade to the latest version of the affected package.
87
88	Resolution
89	==========
90
91	LCDproc users should upgrade to version 0.4.5 or later:
92
93	# emerge sync
94
95	# emerge -pv ">=app-misc/lcdproc-0.4.5"
96	# emerge ">=app-misc/lcdproc-0.4.5"
97
98	References
99	==========
100
101	[ 1 ] LCDproc advisory
102	http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html
103
104	Availability
105	============
106
107	This GLSA and any updates to it are available for viewing at
108	the Gentoo Security Website:
109
110	http://security.gentoo.org/glsa/glsa-200404-19.xml
111
112	Concerns?
113	=========
114
115	Security is a primary focus of Gentoo Linux and ensuring the
116	confidentiality and security of our users machines is of utmost
117	importance to us. Any security concerns should be addressed to
118	security@g.o or alternatively, you may file a bug at
119	http://bugs.gentoo.org.
120
121	License
122	=======
123
124	Copyright 2004 Gentoo Technologies, Inc; referenced text
125	belongs to its owner(s).
126
127	The contents of this document are licensed under the
128	Creative Commons - Attribution / Share Alike license.
129
130	http://creativecommons.org/licenses/by-sa/1.0
131
132	--Boundary-02=_/1ejAdIdlhzyUYy
133	Content-Type: application/pgp-signature
134	Content-Description: signature
135
136	-----BEGIN PGP SIGNATURE-----
137	Version: GnuPG v1.2.4 (GNU/Linux)
138
139	iD4DBQBAje1/aIxeYlQMsxsRAt7hAJjgszRcKkPiY4mQcxAO5meO7WR3AJ0TBk3e
140	Ib4JhXTrQiYGZxur5I+M2w==
141	=NhzA
142	-----END PGP SIGNATURE-----
143
144	--Boundary-02=_/1ejAdIdlhzyUYy--

Gentoo Archives: gentoo-announce