| 1 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 2 |
Gentoo Linux Pending Vulnerabilities GLVP 200403-01 |
| 3 |
Unofficial Announcement |
| 4 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 5 |
glvp@×××××××××.org |
| 6 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 7 |
|
| 8 |
|
| 9 |
Abstract: This email is a compilation of known but unresolved |
| 10 |
vulnerabilities and security issues in Gentoo Linux. This GLPV email |
| 11 |
will be issued each Saturday as a reminder and warning for Gentoo users |
| 12 |
about unresolved security critical bugs of packages in the Gentoo |
| 13 |
Portage tree. This is an unofficial email, not associated with the |
| 14 |
Gentoo Linux security team. Since I am far from perfect, this mail may |
| 15 |
contain errors. Please report them if you spot them. |
| 16 |
|
| 17 |
How to contribute: You can help make Gentoo an even better Linux |
| 18 |
experience by contributing any bugs you notice to bugs.gentoo.org and |
| 19 |
inform me about it. This is a guideline as how to contribute best: |
| 20 |
|
| 21 |
Skim through security related channels like bugtraq, full-disclosure, |
| 22 |
any announcements other distributions offer and security related media |
| 23 |
and press reports. |
| 24 |
|
| 25 |
Activate your curiosity: if you notice a package that might be included |
| 26 |
in the Gentoo Linux Portage tree, confirm it's in Portage and check its |
| 27 |
version in Portage (stable). Is an affected version in Portage? You may |
| 28 |
need to check whether any patching has been done already. If in doubt, |
| 29 |
assume that the bug still exists. |
| 30 |
|
| 31 |
Browse the bugs in bugs.gentoo.org and see whether the issue is already |
| 32 |
known. If the issue is already known but not included in any GLPV |
| 33 |
announcement then please send me a mail at glpv@×××××××××.org and don't |
| 34 |
forget to mention the bug identifier from Bugzilla. If the bug is not |
| 35 |
yet in Bugzilla then enter it into Bugzilla. Include any external |
| 36 |
reference in your Bugzilla entry and inform me about this new pending |
| 37 |
vulnerability so I can include it here. |
| 38 |
|
| 39 |
Comments, suggestions and reports about errors are welcome at |
| 40 |
glpv@×××××××××.org |
| 41 |
|
| 42 |
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - |
| 43 |
|
| 44 |
***************** |
| 45 |
Package: Linux kernel |
| 46 |
Versions: 2.2 up to and including 2.2.25, 2.4 up to to and including |
| 47 |
2.4.24, 2.6 up to to and including 2.6.2 |
| 48 |
Subject: Linux kernel do_mremap VMA limit local privilege escalation |
| 49 |
vulnerability |
| 50 |
Risk: critical |
| 51 |
Date: 01/03/2004 |
| 52 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42024 |
| 53 |
Cross Reference: |
| 54 |
http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt |
| 55 |
|
| 56 |
Description: |
| 57 |
|
| 58 |
See the cross reference. |
| 59 |
|
| 60 |
***************** |
| 61 |
|
| 62 |
***************** |
| 63 |
Package: Ethereal |
| 64 |
Versions: 0.8.14 - 0.10.2 |
| 65 |
Subject: Multiple (13) Ethereal remote overflows discovered=20 |
| 66 |
Risk: critical |
| 67 |
Date: 23/03/2004 |
| 68 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45543 |
| 69 |
Cross Reference: http://security.e-matters.de/advisories/032004.html |
| 70 |
|
| 71 |
Description: |
| 72 |
|
| 73 |
See the cross reference. |
| 74 |
|
| 75 |
***************** |
| 76 |
|
| 77 |
***************** |
| 78 |
Package: xfsdump |
| 79 |
Versions: ? |
| 80 |
Subject: xfsdump creates files insecurely |
| 81 |
Risk: critical |
| 82 |
Date: 10/04/2003 |
| 83 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D19406 |
| 84 |
Cross Reference: |
| 85 |
ftp://patches.sgi.com/support/free/security/advisories/20030404-01-P |
| 86 |
|
| 87 |
Description: |
| 88 |
|
| 89 |
xfsdq in xfsdump does not create quota information files securely, which |
| 90 |
allows local users to gain root privileges. |
| 91 |
|
| 92 |
***************** |
| 93 |
|
| 94 |
***************** |
| 95 |
Package: Firebird |
| 96 |
Versions: ? |
| 97 |
Subject: Environment Variable Buffer Overflow Vulnerability |
| 98 |
Risk: critical |
| 99 |
Date: 10/05/2003 |
| 100 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D20837 |
| 101 |
Cross Reference: http://securityfocus.com/bid/7546/info/ |
| 102 |
|
| 103 |
Description: |
| 104 |
|
| 105 |
Interbase is a database distributed and maintained by Borland. It is |
| 106 |
available for Unix and Linux operating systems. As Firebird is based on |
| 107 |
Borland/Inprise Interbase source code, it is very likely that Interbase |
| 108 |
is prone to this issue also. |
| 109 |
|
| 110 |
A buffer overflow has been discovered in the setuid root program |
| 111 |
gds_inet_server, packaged with Firebird. This problem could allow a |
| 112 |
local user to execute the program with strings of arbitrary length. By |
| 113 |
using a custom crafted string, the attacker could overwrite stack |
| 114 |
memory, including the return address of a function, and potentially |
| 115 |
execute arbitrary code as root. |
| 116 |
|
| 117 |
***************** |
| 118 |
|
| 119 |
***************** |
| 120 |
Package: imagemagick |
| 121 |
Versions: ? |
| 122 |
Subject: insecure temporary file |
| 123 |
Risk: low/medium |
| 124 |
Date: 27/06/2003 |
| 125 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24001 |
| 126 |
Cross Reference: http://www.debian.org/security/2003/dsa-331 |
| 127 |
|
| 128 |
Description: |
| 129 |
|
| 130 |
See cross reference. |
| 131 |
|
| 132 |
***************** |
| 133 |
|
| 134 |
***************** |
| 135 |
Package: OpenLDAP |
| 136 |
Versions: ? |
| 137 |
Subject: Denial of Service and other (non-security) fixes=20 |
| 138 |
Risk: critical |
| 139 |
Date: 04/07/2003 |
| 140 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D26728 |
| 141 |
Cross Reference: http://www.openldap.org/its/index.cgi?findid=3D2390 |
| 142 |
|
| 143 |
Description: |
| 144 |
|
| 145 |
A failed password extended operation (password EXOP) can cause openldap |
| 146 |
to, if using the back-ldbm backend, attempt to free memory which was |
| 147 |
never allocated, resulting in a segfault. The back-bdb backend, on the |
| 148 |
other hand, has a memory leak in the same code. Both conditions can be |
| 149 |
triggered remotely. |
| 150 |
|
| 151 |
See the Bugzilla entry for more information. |
| 152 |
|
| 153 |
***************** |
| 154 |
|
| 155 |
***************** |
| 156 |
Package: Gentoo Portage |
| 157 |
Versions: ? |
| 158 |
Subject: emerge security - running as root and digital signatures |
| 159 |
Risk: medium/high |
| 160 |
Date: 08/02/2002 |
| 161 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D5902 |
| 162 |
Cross Reference: none |
| 163 |
|
| 164 |
Description: |
| 165 |
|
| 166 |
Running emerge as root is only necessary for the merge step. Unpacking, |
| 167 |
setup and compilation should be done as a normal user (say, "nobody"). |
| 168 |
Merging should never overwrite an existing file without user |
| 169 |
authorisation. |
| 170 |
|
| 171 |
At the moment there are a couple of ways to get root from portage: |
| 172 |
|
| 173 |
1) through a trojaned build process |
| 174 |
2) through a trojaned source that gets installed and executed by root |
| 175 |
|
| 176 |
Running the build process as a normal user avoids 1). Not overwriting |
| 177 |
exist= |
| 178 |
ing files avoids 2), unless the user is installing some new root |
| 179 |
daemon/program, then they're screwed anyway. |
| 180 |
|
| 181 |
***************** |
| 182 |
|
| 183 |
***************** |
| 184 |
Package: scorched3d |
| 185 |
Versions: 36.2 and ? |
| 186 |
Subject: format string crashes server and client |
| 187 |
Risk: low/medium (denial of service) |
| 188 |
Date: 24/01/2004 |
| 189 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D39302 |
| 190 |
Cross Reference: none |
| 191 |
|
| 192 |
Description: |
| 193 |
|
| 194 |
games-strategy/scorched3d-36.2 suffers from a format string problem that |
| 195 |
crashes clients and servers. If this is used while playing standalone, |
| 196 |
the client will crash. If this is used while playing on a server, the |
| 197 |
server will crash, and all clients will be disconnected. |
| 198 |
|
| 199 |
***************** |
| 200 |
|
| 201 |
***************** |
| 202 |
Package: 8139too driver |
| 203 |
Versions: ? |
| 204 |
Subject: 8139too driver icmp leak |
| 205 |
Risk: high |
| 206 |
Date: 01/06/2003 |
| 207 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D24661 |
| 208 |
Cross Reference: |
| 209 |
http://www.atstake.com/research/advisories/2003/a010603-1.txt |
| 210 |
|
| 211 |
Description: |
| 212 |
|
| 213 |
Multiple platform ethernet Network Interface Card (NIC) device |
| 214 |
drivers incorrectly handle frame padding, allowing an attacker to view |
| 215 |
slices of previously transmitted packets or portions of kernel memory. |
| 216 |
This vulnerability is the result of incorrect implementations of RFC |
| 217 |
requirements and poor programming practices, the combination |
| 218 |
of which results in several variations of this information leakage |
| 219 |
vulnerability. |
| 220 |
|
| 221 |
***************** |
| 222 |
|
| 223 |
***************** |
| 224 |
Package: pam |
| 225 |
Versions: ? |
| 226 |
Subject: pam_console setup broken |
| 227 |
Risk: critical |
| 228 |
Date: 23/10/2003 |
| 229 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D31877 |
| 230 |
Cross Reference: none |
| 231 |
|
| 232 |
Description: |
| 233 |
|
| 234 |
Reproducible: Always |
| 235 |
Steps to Reproduce: |
| 236 |
1. login in on on a virtual terminal as normal user |
| 237 |
2. check permissions on pam_console managed devices |
| 238 |
for example: |
| 239 |
ls -l /dev/floppy/0 |
| 240 |
3. press <Ctrl><Alt><Del> |
| 241 |
4. wait for comp to reboot |
| 242 |
5. login on on any virtual terminal as root |
| 243 |
6. repeat step 2 |
| 244 |
|
| 245 |
Actual Results: |
| 246 |
/dev/floppy/0 is still owned by the last logged in user! |
| 247 |
same problem with serial ports! |
| 248 |
same problem with cdroms/zips/usb-storage devices/... |
| 249 |
same prob with all devices managed by pam_console!!! |
| 250 |
|
| 251 |
Expected Results: |
| 252 |
devices should have ownership from devfsd.conf or root:root! |
| 253 |
|
| 254 |
***************** |
| 255 |
|
| 256 |
***************** |
| 257 |
Package: FreeRadius |
| 258 |
Versions: <=3D 0.9.3 |
| 259 |
Subject: rlm_smb module stack overflow vulnerability |
| 260 |
Risk: critical |
| 261 |
Date: 26/11/2003 |
| 262 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34424 |
| 263 |
Cross Reference: http://www.s-quadra.com/advisories/Adv-20031126.txt |
| 264 |
|
| 265 |
Description: |
| 266 |
|
| 267 |
See cross reference. |
| 268 |
|
| 269 |
***************** |
| 270 |
|
| 271 |
***************** |
| 272 |
Package: irssi |
| 273 |
Versions: 0.8.9 and ?, x86 not affected |
| 274 |
Subject: remotely crash another user's irssi client |
| 275 |
Risk: low/medium |
| 276 |
Date: 11/12/2203 |
| 277 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D35614 |
| 278 |
Cross Reference: none |
| 279 |
|
| 280 |
Description: |
| 281 |
|
| 282 |
See Bugzilla entry. |
| 283 |
|
| 284 |
***************** |
| 285 |
|
| 286 |
***************** |
| 287 |
Package: nscd |
| 288 |
Versions: ? |
| 289 |
Subject: nscd dns spoof attack |
| 290 |
Risk: critical |
| 291 |
Date: 01/02/2004 |
| 292 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40067 |
| 293 |
Cross Reference: none |
| 294 |
|
| 295 |
Description: |
| 296 |
|
| 297 |
nscd will reverse an IP address and later use the forward of it for |
| 298 |
lookups allowing for spoof attack which can be used to gather passwords |
| 299 |
and other data. |
| 300 |
|
| 301 |
***************** |
| 302 |
|
| 303 |
***************** |
| 304 |
Package: xscreensaver |
| 305 |
Versions: 4.14 and ? |
| 306 |
Subject: file in /tmp, symlink attack |
| 307 |
Risk: high/critical |
| 308 |
Date: 11/02/2204 |
| 309 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41253 |
| 310 |
Cross Reference: none |
| 311 |
|
| 312 |
Description: |
| 313 |
|
| 314 |
See Bugzilla entry. |
| 315 |
|
| 316 |
***************** |
| 317 |
|
| 318 |
***************** |
| 319 |
Package: metamail |
| 320 |
Versions: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others |
| 321 |
Subject: format string bugs and buffer overflows |
| 322 |
Risk: critical |
| 323 |
Date: 18/02/2004 |
| 324 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42133 |
| 325 |
Cross Reference: |
| 326 |
http://lists.netsys.com/pipermail/full-disclosure/2004-February/017539.html |
| 327 |
|
| 328 |
Description: |
| 329 |
|
| 330 |
See cross reference. |
| 331 |
|
| 332 |
***************** |
| 333 |
|
| 334 |
***************** |
| 335 |
Package: msyslog |
| 336 |
Versions: !=3D 1.09d or 1.08f |
| 337 |
Subject: buffer overflows |
| 338 |
Risk: critical |
| 339 |
Date: 10/04/2003 |
| 340 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42963 |
| 341 |
Cross Reference: |
| 342 |
http://sourceforge.net/forum/forum.php?forum_id=3D267918 |
| 343 |
|
| 344 |
Description: |
| 345 |
|
| 346 |
See Bugzilla entry. |
| 347 |
|
| 348 |
***************** |
| 349 |
|
| 350 |
***************** |
| 351 |
Package: monit |
| 352 |
Versions: < 4.1.1 |
| 353 |
Subject: remote vulnerability |
| 354 |
Risk: critical |
| 355 |
Date: 07/03/2004 |
| 356 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43967 |
| 357 |
Cross Reference: http://www.tildeslash.com/monit/ |
| 358 |
|
| 359 |
Description: |
| 360 |
|
| 361 |
No description available. |
| 362 |
|
| 363 |
***************** |
| 364 |
|
| 365 |
***************** |
| 366 |
Package: Unreal engine |
| 367 |
Versions: ? |
| 368 |
Subject: Format string bug in EpicGames Unreal engine |
| 369 |
Risk: critical |
| 370 |
Date: 10/03/2004 |
| 371 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44351 |
| 372 |
Cross Reference: |
| 373 |
http://www.securityfocus.com/archive/1/356904/2004-03-08/2004-03-14/0 |
| 374 |
|
| 375 |
Description: |
| 376 |
|
| 377 |
The problem is a format string bug in the Classes management. |
| 378 |
Each time a client connects to a server it sends the names of the |
| 379 |
objects it uses (called classes). |
| 380 |
|
| 381 |
If an attacker uses a class name containing format parameters (as %n, |
| 382 |
%s and so on) he will be able to crash or also to execute malicious |
| 383 |
code on the remote server. |
| 384 |
|
| 385 |
***************** |
| 386 |
|
| 387 |
***************** |
| 388 |
Package: clamav |
| 389 |
Versions: < 0.70-rc |
| 390 |
Subject: RAR DOS vulnerability |
| 391 |
Risk: critical |
| 392 |
Date: 22/03/2004 |
| 393 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45357 |
| 394 |
Cross Reference: http://secunia.com/advisories/11177/ |
| 395 |
|
| 396 |
Description: |
| 397 |
|
| 398 |
A vulnerability has been discovered in Clam AntiVirus, which can be |
| 399 |
exploited by malicious people to cause a DoS (Denial-of-Service). |
| 400 |
|
| 401 |
An unspecified error within the processing of certain RAR archives (e.g. |
| 402 |
some of those generated by the Bagle virus) may cause a crash. |
| 403 |
|
| 404 |
***************** |
| 405 |
|
| 406 |
***************** |
| 407 |
Package: GNU Automake |
| 408 |
Versions: < 1.8.3 |
| 409 |
Subject: Insecure Temporary Directory Creation Symbolic Link |
| 410 |
Vulnerability |
| 411 |
Risk: high/critical |
| 412 |
Date: 08/03/2004 |
| 413 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45646 |
| 414 |
Cross Reference: http://www.securityfocus.com/bid/9816/info/ |
| 415 |
|
| 416 |
Description: |
| 417 |
|
| 418 |
See cross reference. |
| 419 |
|
| 420 |
***************** |
| 421 |
|
| 422 |
***************** |
| 423 |
Package: apache, mod_cgi |
| 424 |
Versions: 2.0.47 |
| 425 |
Subject: Apache 2.0.47 & mod_cgi: denial of service |
| 426 |
Risk: critical |
| 427 |
Date: 31/07/2003 |
| 428 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29893 |
| 429 |
Cross Reference: |
| 430 |
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=3D22030 |
| 431 |
|
| 432 |
Description: |
| 433 |
|
| 434 |
If a cgi script under mod_cgi outputs more than 4096 bytes of stderr |
| 435 |
before it finishes writing to and closing its stdout, the write() in the |
| 436 |
cgi script containing the 4097th byte of stderr will hang indefinitely, |
| 437 |
hanging the script's execution. |
| 438 |
|
| 439 |
This appears to be cause by the fact that mod_cgi reads all stdout |
| 440 |
output first, and then begins reading stderr output. APR's file_io |
| 441 |
which is handling the streams will only buffer 4096 characters before |
| 442 |
further writes by the script to stderr will hang, waiting for mod_cgi to |
| 443 |
read some of the data from the stream via APR file_io. |
| 444 |
|
| 445 |
***************** |
| 446 |
|
| 447 |
***************** |
| 448 |
Package: courier-imap |
| 449 |
Versions: see cross reference |
| 450 |
Subject: Multiple Remote Buffer Overflow Vulnerabilities |
| 451 |
Risk: critical |
| 452 |
Date: 11/03/2004 |
| 453 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45584 |
| 454 |
Cross Reference: http://www.securityfocus.com/bid/9845/info/ |
| 455 |
|
| 456 |
Description: |
| 457 |
|
| 458 |
Multiple buffer overflow vulnerabilities have been identified in Courier |
| 459 |
MTA, Courier SqWebMail, and Courier-IMAP. These vulnerabilities may |
| 460 |
allow a remote attacker to execute arbitrary code on a vulnerable system |
| 461 |
in order to gain unauthorized access. |
| 462 |
|
| 463 |
***************** |
| 464 |
|
| 465 |
***************** |
| 466 |
Package: Mozilla |
| 467 |
Versions: < 1.6 |
| 468 |
Subject: Cross-domain exploit on zombie document with event handlers |
| 469 |
Risk: critical |
| 470 |
Date: 25/02/2004 |
| 471 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D43072 |
| 472 |
Cross Reference: http://www.securityfocus.com/archive/1/355233 |
| 473 |
|
| 474 |
Description: |
| 475 |
|
| 476 |
When linking to a new page it is still possible to interact with the old |
| 477 |
page before the new page has been successfully loaded (zombie document). |
| 478 |
Any javascript events fired will be invoked in the context of the new |
| 479 |
page, making cross site scripting possible if the pages belong to |
| 480 |
different domains. |
| 481 |
|
| 482 |
***************** |
| 483 |
|
| 484 |
***************** |
| 485 |
Package: fetchmail |
| 486 |
Versions: <=3D 6.2.4 |
| 487 |
Subject: email denial of service |
| 488 |
Risk: low/medium |
| 489 |
Date: 16/10/2003 |
| 490 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D37717 |
| 491 |
Cross Reference: http://xforce.iss.net/xforce/xfdb/13450 |
| 492 |
|
| 493 |
Description: |
| 494 |
|
| 495 |
Fetchmail is a full-featured remote mail-retrieval and forwarding |
| 496 |
utility for Unix that uses the POP3 and IMAP protocols. Fetchmail |
| 497 |
version 6.2.4 is vulnerable to a denial of service attack. By sending a |
| 498 |
specially-crafted email, a remote attacker can cause the program to |
| 499 |
crash. |
| 500 |
|
| 501 |
***************** |
| 502 |
|
| 503 |
***************** |
| 504 |
Package: RealOne Player and RealPlayer 8 |
| 505 |
Versions: ? |
| 506 |
Subject: arbitrary code execution |
| 507 |
Risk: critical |
| 508 |
Date: 04/02/2004? |
| 509 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40469 |
| 510 |
Cross Reference: |
| 511 |
http://www.service.real.com/help/faq/security/040123_player/EN/ |
| 512 |
|
| 513 |
Description: |
| 514 |
|
| 515 |
RealNetworks, Inc. has recently been made aware of security |
| 516 |
vulnerabilities that could potentially allow an attacker to run |
| 517 |
arbitrary code on a user's machine. |
| 518 |
|
| 519 |
The specific exploits were: |
| 520 |
|
| 521 |
* Exploit 1: To operate remote Javascript from the domain of the |
| 522 |
URL opened by a SMIL file or other file. |
| 523 |
* Exploit 2: To fashion RMP files which allow an attacker to |
| 524 |
download and execute arbitrary code on a user's machine. |
| 525 |
* Exploit 3: To fashion media files to create Buffer Overrun |
| 526 |
errors. |
| 527 |
|
| 528 |
While we have not received reports of anyone actually being attacked |
| 529 |
with this exploit, all security vulnerabilities are taken very seriously |
| 530 |
by RealNetworks. RealNetworks has found and fixed the problem. |
| 531 |
|
| 532 |
***************** |
| 533 |
|
| 534 |
***************** |
| 535 |
Package: mpg123 |
| 536 |
Versions: ? |
| 537 |
Subject: heap overflow, arbitrary code execution |
| 538 |
Risk: high |
| 539 |
Date: 06/02/2004 |
| 540 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D40631 |
| 541 |
Cross Reference: http://www.debian.org/security/2004/dsa-435 |
| 542 |
|
| 543 |
Description: |
| 544 |
|
| 545 |
A vulnerability was discovered in mpg123, a command-line mp3 player, |
| 546 |
whereby a response from a remote HTTP server could overflow a buffer |
| 547 |
allocated on the heap, potentially permitting execution of arbitrary |
| 548 |
code with the privileges of the user invoking mpg123. In order for |
| 549 |
this vulnerability to be exploited, mpg321 would need to request an |
| 550 |
mp3 stream from a malicious remote server via HTTP. |
| 551 |
|
| 552 |
***************** |
| 553 |
|
| 554 |
***************** |
| 555 |
Package: Samba, Linux kernel |
| 556 |
Versions: Samba 3.x, Linux kernel 2.6.x |
| 557 |
Subject: Samba 3.x + kernel 2.6.x local root vulnerability |
| 558 |
Risk: high |
| 559 |
Date: 09/02/2004 |
| 560 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D41800 |
| 561 |
Cross Reference: http://www.securityfocus.com/archive/1/353217 |
| 562 |
|
| 563 |
Description: |
| 564 |
|
| 565 |
See cross reference. |
| 566 |
|
| 567 |
***************** |
| 568 |
|
| 569 |
***************** |
| 570 |
Package: uudeview |
| 571 |
Versions: < 0.5.20 |
| 572 |
Subject: buffer overflow vulnerabilities, remote arbitrary code |
| 573 |
execution |
| 574 |
Risk: high |
| 575 |
Date: 02/03/2004 |
| 576 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D44859 |
| 577 |
Cross Reference: |
| 578 |
http://www.securitytracker.com/alerts/2004/Mar/1009291.html |
| 579 |
|
| 580 |
Description: |
| 581 |
|
| 582 |
It is reported that a remote user can create a malicious MIME file |
| 583 |
(.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions) that, when |
| 584 |
processed by a target user, will cause UUDeview to crash or execute |
| 585 |
arbitrary code. The code will run with the privileges of the target user |
| 586 |
or application. |
| 587 |
|
| 588 |
***************** |
| 589 |
|
| 590 |
***************** |
| 591 |
Package: MySQl |
| 592 |
Versions: all |
| 593 |
Subject: Symlink bug / tmpfile bug |
| 594 |
Risk: low/medium |
| 595 |
Date: 24/03/2004 |
| 596 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45727 |
| 597 |
Cross Reference: http://nettwerked.mg2.org/advisories/mysqlbug |
| 598 |
|
| 599 |
Description: |
| 600 |
|
| 601 |
See cross reference. |
| 602 |
|
| 603 |
***************** |
| 604 |
|
| 605 |
***************** |
| 606 |
Package: pwlib |
| 607 |
Versions: < 1.6.0 |
| 608 |
Subject: multiple vulnerabilities allow remote DoS attacks and possibly |
| 609 |
execution of arbitrary code |
| 610 |
Risk: high |
| 611 |
Date: 13/01/2004 |
| 612 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45846 |
| 613 |
Cross Reference: |
| 614 |
http://www.postincrement.com/openh323/nissc_vulnerabilty.html |
| 615 |
|
| 616 |
Description: |
| 617 |
|
| 618 |
See cross reference. |
| 619 |
|
| 620 |
***************** |
| 621 |
|
| 622 |
***************** |
| 623 |
Package: iproute |
| 624 |
Versions: ? |
| 625 |
Subject: local denial of service attack |
| 626 |
Risk: medium/high |
| 627 |
Date: 24/11/2003 |
| 628 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D34294 |
| 629 |
Cross Reference: http://rhn.redhat.com/errata/RHSA-2003-316.html |
| 630 |
|
| 631 |
Description: |
| 632 |
|
| 633 |
Herbert Xu reported that iproute can accept spoofed messages sent on the |
| 634 |
kernel netlink interface by other users on the local machine. This could |
| 635 |
lead to a local denial of service attack. The Common Vulnerabilities and |
| 636 |
Exposures project (cve.mitre.org) has assigned the name CAN-2003-0856 to |
| 637 |
this issue. |
| 638 |
|
| 639 |
***************** |
| 640 |
|
| 641 |
***************** |
| 642 |
Package: openhbci-plugin-ddvcard |
| 643 |
Versions: ? |
| 644 |
Subject: openhbci-plugin-ddvcard can destroy hbci-cards |
| 645 |
Risk: critical |
| 646 |
Date: 13/01/2004 |
| 647 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38201 |
| 648 |
Cross Reference: |
| 649 |
http://sourceforge.net/mailarchive/forum.php?thread_id=3D3743892&forum_id= |
| 650 |
=3D926 |
| 651 |
|
| 652 |
Description: |
| 653 |
|
| 654 |
See cross reference (German) and Bugzilla entry. |
| 655 |
|
| 656 |
***************** |
| 657 |
|
| 658 |
***************** |
| 659 |
Package: tcpdump |
| 660 |
Versions: ? |
| 661 |
Subject: denial of service, or possibly execute arbitrary |
| 662 |
code as the 'pcap' user |
| 663 |
Risk: medium/high |
| 664 |
Date: 14/01/2004 |
| 665 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38206 |
| 666 |
Cross Reference: none |
| 667 |
|
| 668 |
Description: |
| 669 |
|
| 670 |
Tcpdump is a command-line tool for monitoring network traffic. |
| 671 |
|
| 672 |
George Bakos discovered flaws in the ISAKMP decoding routines of tcpdump |
| 673 |
versions prior to 3.8.1. The Common Vulnerabilities and Exposures |
| 674 |
project |
| 675 |
(cve.mitre.org) has assigned the name CAN-2003-0989 to this issue. |
| 676 |
|
| 677 |
Jonathan Heusser discovered two additional flaws in the ISAKMP decoding |
| 678 |
routines of tcpdump versions up to and including 3.8.1. |
| 679 |
|
| 680 |
Remote attackers could potentially exploit these issues by sending |
| 681 |
carefully-crafted packets to a victim. If the victim uses tcpdump, |
| 682 |
these |
| 683 |
pakets could result in a denial of service, or possibly execute |
| 684 |
arbitrary |
| 685 |
code as the 'pcap' user. |
| 686 |
|
| 687 |
Users of tcpdump are advised to upgrade to these erratum packages, which |
| 688 |
contain backported security patches and are not vulnerable to these |
| 689 |
issues. |
| 690 |
|
| 691 |
***************** |
| 692 |
|
| 693 |
***************** |
| 694 |
Package: kdepim |
| 695 |
Versions: from KDE 3.1.0 to 3.1.4 |
| 696 |
Subject: buffer overflow in the file information reader of VCF files |
| 697 |
Risk: high/critical |
| 698 |
Date: 14/01/2004 |
| 699 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D38256 |
| 700 |
Cross Reference: |
| 701 |
http://www.kde.org/info/security/advisory-20040114-1.txt |
| 702 |
|
| 703 |
Description: |
| 704 |
|
| 705 |
A carefully crafted .VCF file potentially enables local attackers to |
| 706 |
compromise the privacy of a victim's data or execute arbitrary commands |
| 707 |
with the victim's privileges. |
| 708 |
|
| 709 |
By default, file information reading is disabled for remote files. |
| 710 |
However, if previews are enabled for remote files, remote attackers may |
| 711 |
be able to compromise the victim's account. |
| 712 |
|
| 713 |
***************** |
| 714 |
|
| 715 |
***************** |
| 716 |
Package: dcron |
| 717 |
Versions: 2.9 |
| 718 |
Subject: dcron installs init script suid 4755 |
| 719 |
Risk: medium |
| 720 |
Date: 25/02/2004 |
| 721 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42908 |
| 722 |
Cross Reference: http://dev.gentoo.org/~solar/misc/dcron-2.9-r2.diff |
| 723 |
|
| 724 |
Description: |
| 725 |
|
| 726 |
See Bugzilla entry. |
| 727 |
|
| 728 |
***************** |
| 729 |
|
| 730 |
***************** |
| 731 |
Package: xine |
| 732 |
Versions: ? |
| 733 |
Subject: Symlink bug / tmpfile bug in xine-check and xine-bugreport |
| 734 |
Risk: low/medium |
| 735 |
Date: 19/03/2004 |
| 736 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45448 |
| 737 |
Cross Reference: http://nettwerked.mg2.org/advisories/xinebug |
| 738 |
|
| 739 |
Description: |
| 740 |
|
| 741 |
See cross reference. |
| 742 |
|
| 743 |
***************** |
| 744 |
|
| 745 |
***************** |
| 746 |
Package: phpBB |
| 747 |
Versions: ? |
| 748 |
Subject: Multiple vulnerabilities |
| 749 |
Risk: critical |
| 750 |
Date: 13/03/2004 |
| 751 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45482 |
| 752 |
Cross Reference: http://www.securityfocus.com/bid/9865 |
| 753 |
|
| 754 |
Description: |
| 755 |
|
| 756 |
See Bugzilla entry and cross reference. |
| 757 |
|
| 758 |
***************** |
| 759 |
|
| 760 |
***************** |
| 761 |
Package: SquidGuard |
| 762 |
Versions: <=3D 1.2.0 |
| 763 |
Subject: NULL URL Character Unauthorized Access Vulnerability |
| 764 |
Risk: critical |
| 765 |
Date: 19/03/2004 |
| 766 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45491 |
| 767 |
Cross Reference: http://www.securityfocus.com/bid/9919/info/ |
| 768 |
|
| 769 |
Description: |
| 770 |
|
| 771 |
Reportedly SquidGaurd is prone to a remote NULL URL character |
| 772 |
unauthorized access vulnerability. This issue is due to a failure of the |
| 773 |
application to properly filter out invalid URIs. |
| 774 |
|
| 775 |
Successful exploitation of this issue may allow a remote attacker to |
| 776 |
bypass access controls resulting in unauthorized access to |
| 777 |
attacker-specified resources. This may allow the attacker to gain |
| 778 |
unauthorized access to sensitive resources. |
| 779 |
|
| 780 |
***************** |
| 781 |
|
| 782 |
***************** |
| 783 |
Package: Jetty |
| 784 |
Versions: < 4.2.19 |
| 785 |
Subject: Unspecified Denial Of Service Vulnerability |
| 786 |
Risk: high/critical |
| 787 |
Date: 18/03/2004 |
| 788 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45552 |
| 789 |
Cross Reference: http://www.securityfocus.com/bid/9917 |
| 790 |
|
| 791 |
Description: |
| 792 |
|
| 793 |
See cross reference. |
| 794 |
|
| 795 |
***************** |
| 796 |
|
| 797 |
***************** |
| 798 |
Package: oftpd |
| 799 |
Versions: 0.3.6 and possibly others |
| 800 |
Subject: remote DoS vulnerability |
| 801 |
Risk: medium/high |
| 802 |
Date: 04/03/2004 |
| 803 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D45738 |
| 804 |
Cross Reference: http://www.time-travellers.org/oftpd/oftpd-dos.html |
| 805 |
|
| 806 |
Description: |
| 807 |
|
| 808 |
Denial of service. An ftp server can be taken offline with a simple |
| 809 |
telnet connection. |
| 810 |
|
| 811 |
***************** |
| 812 |
|
| 813 |
***************** |
| 814 |
Package: libxml2 |
| 815 |
Versions: 2.6.x |
| 816 |
Subject: URI Parsing Buffer Overflow Vulnerabilities |
| 817 |
Risk: high/critical |
| 818 |
Date: 24/02/2004 |
| 819 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D42735 |
| 820 |
Cross Reference: http://secunia.com/advisories/10958/ |
| 821 |
|
| 822 |
Description: |
| 823 |
|
| 824 |
Yuuichi Teranishi has discovered some vulnerabilities in libxml2, which |
| 825 |
potentially can be exploited by malicious people to compromise a |
| 826 |
vulnerable system. |
| 827 |
|
| 828 |
The vulnerabilities are caused due to boundary errors in nanohttp and |
| 829 |
nanoftp when parsing overly long URIs. This can be exploited to cause a |
| 830 |
buffer overflow by supplying an overly long URI (about 4096 bytes). |
| 831 |
|
| 832 |
Successful exploitation may potentially allow execution of arbitrary |
| 833 |
code. |
| 834 |
|
| 835 |
***************** |
| 836 |
|
| 837 |
***************** |
| 838 |
Package: inn |
| 839 |
Versions: < 2.4.1? |
| 840 |
Subject: ? |
| 841 |
Risk: ? |
| 842 |
Date: 17/09/2003 |
| 843 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D29020 |
| 844 |
Cross Reference: none |
| 845 |
|
| 846 |
Description: |
| 847 |
|
| 848 |
See Bugzilla entry. |
| 849 |
|
| 850 |
***************** |
| 851 |
|
| 852 |
***************** |
| 853 |
Package: mplayer |
| 854 |
Versions: ? |
| 855 |
Subject: /dev/misc/rtc permissions change & sysctl.conf addition |
| 856 |
Risk: low/medium? |
| 857 |
Date: 11/09/2003 |
| 858 |
Gentoo Bugzilla: http://bugs.gentoo.org/show_bug.cgi?id=3D28486 |
| 859 |
Cross Reference: none |
| 860 |
|
| 861 |
Description: |
| 862 |
|
| 863 |
See Bugzilla entry. |
| 864 |
|
| 865 |
***************** |
| 866 |
|
| 867 |
If you spotted any errors or you're aware of additional |
| 868 |
references/information, please drop me a note at glpv@×××××××××.org. |
| 869 |
|
| 870 |
This list is far from complete. As of today it only contains entries |
| 871 |
from Bugzilla that haven't been fixed yet. There are probably many |
| 872 |
issues that haven't found their way into Bugzilla at all. |
| 873 |
|
| 874 |
|
| 875 |
kind regards, |
| 876 |
Tobias Weisserth |
| 877 |
|
| 878 |
|
| 879 |
-- |
| 880 |
*************************************************** |
| 881 |
____ _____ |
| 882 |
| _ \| ____| Tobias Weisserth |
| 883 |
| | | | _| tobias@weisserth.[de|com|net|org] |
| 884 |
_| |_| | |___ http://www.weisserth.org |
| 885 |
(_)____/|_____| |
| 886 |
|
| 887 |
Encrypted mail is welcome. |
| 888 |
Key and fingerprint: http://imprint.weisserth.org |
| 889 |
|
| 890 |
*************************************************** |
Archives