1 |
vulnerabilities in LCDproc |
2 |
Date: Mon, 26 Apr 2004 22:19:53 -0700 |
3 |
User-Agent: KMail/1.6.1 |
4 |
Cc: bugtraq@×××××××××××××.com, |
5 |
full-disclosure@××××××××××××.com, |
6 |
security-alerts@×××××××××××××.com, |
7 |
gentoo-core@g.o |
8 |
MIME-Version: 1.0 |
9 |
X-KMail-Identity: 422776557 |
10 |
Content-Type: multipart/signed; |
11 |
protocol="application/pgp-signature"; |
12 |
micalg=pgp-sha1; |
13 |
boundary="Boundary-02=_/1ejAdIdlhzyUYy"; |
14 |
charset="us-ascii" |
15 |
Content-Transfer-Encoding: 7bit |
16 |
Message-Id: <200404262219.59698.condordes@g.o> |
17 |
Status: R |
18 |
X-Status: NQ |
19 |
X-KMail-EncryptionState: |
20 |
X-KMail-SignatureState: |
21 |
X-KMail-MDN-Sent: |
22 |
|
23 |
|
24 |
--Boundary-02=_/1ejAdIdlhzyUYy |
25 |
Content-Type: text/plain; |
26 |
charset="us-ascii" |
27 |
Content-Transfer-Encoding: 7bit |
28 |
Content-Disposition: inline |
29 |
|
30 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
31 |
Gentoo Linux Security Advisory GLSA 200404-19 |
32 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
33 |
http://security.gentoo.org/ |
34 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
35 |
|
36 |
Severity: Normal |
37 |
Title: Buffer overflows and format string vulnerabilities in |
38 |
LCDproc |
39 |
Date: April 27, 2004 |
40 |
Bugs: #47340 |
41 |
ID: 200404-19 |
42 |
|
43 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
44 |
|
45 |
Synopsis |
46 |
======== |
47 |
|
48 |
Multiple remote vulnerabilities have been found in the LCDd server, |
49 |
allowing execution of arbitrary code with the rights of the LCDd user. |
50 |
|
51 |
Background |
52 |
========== |
53 |
|
54 |
LCDproc is a program that displays various bits of real-time system |
55 |
information on an LCD. It makes use of a local server (LCDd) to collect |
56 |
information to display on the LCD. |
57 |
|
58 |
Affected packages |
59 |
================= |
60 |
|
61 |
------------------------------------------------------------------- |
62 |
Package / Vulnerable / Unaffected |
63 |
------------------------------------------------------------------- |
64 |
1 app-misc/lcdproc <= 0.4.4-r1 >= 0.4.5 |
65 |
|
66 |
Description |
67 |
=========== |
68 |
|
69 |
Due to insufficient checking of client-supplied data, the LCDd server |
70 |
is susceptible to two buffer overflows and one string buffer |
71 |
vulnerability. If the server is configured to listen on all network |
72 |
interfaces (see the Bind parameter in LCDproc configuration), these |
73 |
vulnerabilities can be triggered remotely. |
74 |
|
75 |
Impact |
76 |
====== |
77 |
|
78 |
These vulnerabilities allow an attacker to execute code with the rights |
79 |
of the user running the LCDproc server. By default, this is the |
80 |
"nobody" user. |
81 |
|
82 |
Workaround |
83 |
========== |
84 |
|
85 |
A workaround is not currently known for this issue. All users are |
86 |
advised to upgrade to the latest version of the affected package. |
87 |
|
88 |
Resolution |
89 |
========== |
90 |
|
91 |
LCDproc users should upgrade to version 0.4.5 or later: |
92 |
|
93 |
# emerge sync |
94 |
|
95 |
# emerge -pv ">=app-misc/lcdproc-0.4.5" |
96 |
# emerge ">=app-misc/lcdproc-0.4.5" |
97 |
|
98 |
References |
99 |
========== |
100 |
|
101 |
[ 1 ] LCDproc advisory |
102 |
http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html |
103 |
|
104 |
Availability |
105 |
============ |
106 |
|
107 |
This GLSA and any updates to it are available for viewing at |
108 |
the Gentoo Security Website: |
109 |
|
110 |
http://security.gentoo.org/glsa/glsa-200404-19.xml |
111 |
|
112 |
Concerns? |
113 |
========= |
114 |
|
115 |
Security is a primary focus of Gentoo Linux and ensuring the |
116 |
confidentiality and security of our users machines is of utmost |
117 |
importance to us. Any security concerns should be addressed to |
118 |
security@g.o or alternatively, you may file a bug at |
119 |
http://bugs.gentoo.org. |
120 |
|
121 |
License |
122 |
======= |
123 |
|
124 |
Copyright 2004 Gentoo Technologies, Inc; referenced text |
125 |
belongs to its owner(s). |
126 |
|
127 |
The contents of this document are licensed under the |
128 |
Creative Commons - Attribution / Share Alike license. |
129 |
|
130 |
http://creativecommons.org/licenses/by-sa/1.0 |
131 |
|
132 |
--Boundary-02=_/1ejAdIdlhzyUYy |
133 |
Content-Type: application/pgp-signature |
134 |
Content-Description: signature |
135 |
|
136 |
-----BEGIN PGP SIGNATURE----- |
137 |
Version: GnuPG v1.2.4 (GNU/Linux) |
138 |
|
139 |
iD4DBQBAje1/aIxeYlQMsxsRAt7hAJjgszRcKkPiY4mQcxAO5meO7WR3AJ0TBk3e |
140 |
Ib4JhXTrQiYGZxur5I+M2w== |
141 |
=NhzA |
142 |
-----END PGP SIGNATURE----- |
143 |
|
144 |
--Boundary-02=_/1ejAdIdlhzyUYy-- |