Portage is a package management system used by Gentoo Linux
Multiple stack-based buffer overflows in mod_alias and mod_rewrite can allow
execution of arbitrary code and cause a denial of service.
The Apache HTTP Server is one of the most popular web servers on the
Internet.
Multiple stack-based buffer overflows in mod_alias and mod_rewrite allow
attackers who can create or edit configuration files including .htaccess
files, to cause a denial of service and execute arbitrary code via a regular
expression containing more than 9 captures.
An attacker may cause a denial of service or execute arbitrary code with the
privileges of the user that is running apache.
There is no known workaround at this time, other than to disable both
mod_alias and mod_rewrite.
It is recommended that all Gentoo Linux users who are running
net-misc/apache 1.x upgrade:
# emerge sync
# emerge -pv apache
# emerge '>=www-servers/apache-1.3.29'
# emerge clean
# /etc/init.d/apache restart
Multiple stack-based buffer overflows in mod_alias and mod_rewrite can allow
execution of arbitrary code and cause a denial of service, and a bug in the
way mod_cgid handles CGI redirect paths could result in CGI output going to
the wrong client.
The Apache HTTP Server is one of the most popular web servers on the
Internet.
Multiple stack-based buffer overflows in mod_alias and mod_rewrite allow
attackers who can create or edit configuration files including .htaccess
files, to cause a denial of service and execute arbitrary code via a regular
expression containing more than 9 captures, and a bug in the way mod_cgid
handles CGI redirect paths could result in CGI output going to the wrong
client when a threaded MPM is used, resulting in an information disclosure.
An attacker may cause a denial of service or execute arbitrary code with the
privileges of the user that is running apache.
There is no known workaround at this time.
It is recommended that all Gentoo Linux users who are running
net-misc/apache 2.x upgrade:
# emerge sync
# emerge -pv '>=www-servers/apache-2.0.48'
# emerge '>=www-servers/apache-2.0.48'
# emerge clean
# /etc/init.d/apache2 restart
Please remember to update your config files in /etc/apache2 as --datadir has
been changed to /var/www/localhost.
A bug in KDM can allow privilege escalation with certain configurations of
PAM modules.
KDM is the desktop manager included with the K Desktop Environment.
Firstly, versions of KDM <=3.1.3 are vulnerable to a privilege escalation
bug with a specific configuration of PAM modules. Users who do not use PAM
with KDM and users who use PAM with regular Unix crypt/MD5 based
authentication methods are not affected.
Secondly, KDM uses a weak cookie generation algorithm. Users are advised to
upgrade to KDE 3.1.4, which uses /dev/urandom as a non-predictable source of
entropy to improve security.
A remote or local attacker could gain root privileges.
There is no known workaround at this time.
It is recommended that all Gentoo Linux users who are running
kde-base/kdebase <=3.1.3 upgrade:
# emerge sync
# emerge -pv '>=kde-base/kde-3.1.4'
# emerge '>=kde-base/kde-3.1.4'
# emerge clean
Buffer overflows exist in Opera 7.11 and 7.20 that can cause Opera to crash,
and can potentially overwrite arbitrary bytes on the heap leading to a
system compromise.
Opera is a multi-platform web browser.
The Opera browser can cause a buffer allocated on the heap to overflow under
certain HREFs when rendering HTML. The mail system is also deemed
vulnerable and an attacker can send an email containing a malformed HREF, or
plant the malicious HREF on a web site.
Certain HREFs can cause a buffer allocated on the heap to overflow when
rendering HTML which can allow arbitrary bytes on the heap to be overwritten
which can result in a system compromise.
There is no known workaround at this time.
Users are encouraged to perform an 'emerge sync' and upgrade the package
to the latest available version. Opera 7.22 is recommended as Opera 7.21 is
vulnerable to other security flaws. Specific steps to upgrade:
# emerge sync
# emerge -pv '>=www-client/opera-7.22'
# emerge '>=www-client/opera-7.22'
# emerge clean
A format bug condition allows a remote attacjer to execute arbitrary code as
the root user.
HylaFAX is a popular client-server fax package.
During a code review of the hfaxd server, the SuSE Security Team discovered
a format bug condition that allows a remote attacker to execute arbitrary
code as the root user. However, the bug cannot be triggered in the default
hylafax configuration.
A remote attacker could execute arbitrary code with root privileges.
There is no known workaround at this time.
Users are encouraged to perform an 'emerge sync' and upgrade the package to
the latest available version. Vulnerable versions of hylafax have been
removed from portage. Specific steps to upgrade:
# emerge sync
# emerge -pv '>=net-misc/hylafax-4.1.8'
# emerge '>=net-misc/hylafax-4.1.8'
# emerge clean
FreeRADIUS is vulnerable to a heap exploit and a NULL pointer dereference
vulnerability.
FreeRADIUS is a popular open source RADIUS server.
FreeRADIUS versions below 0.9.3 are vulnerable to a heap exploit, however,
the attack code must be in the form of a valid RADIUS packet which limits
the possible exploits.
Also corrected in the 0.9.3 release is another vulnerability which causes
the RADIUS server to de-reference a NULL pointer and crash when an
Access-Request packet with a Tunnel-Password is received.
A remote attacker could craft a RADIUS packet which would cause the RADIUS
server to crash, or could possibly overflow the heap resulting in a system
compromise.
There is no known workaround at this time.
Users are encouraged to perform an 'emerge sync' and upgrade the package to
the latest available version - 0.9.3 is available in portage and is marked
as stable.
# emerge sync
# emerge -pv '>=net-dialup/freeradius-0.9.3'
# emerge '>=net-dialup/freeradius-0.9.3'
# emerge clean
Ethereal is vulnerable to heap and buffer overflows in the GTP, ISAKMP,
MEGACO, and SOCKS protocol dissectors.
Ethereal is a popular network protocol analyzer.
Ethereal contains buffer overflow vulnerabilities in the GTP, ISAKMP, and
MEGACO protocol dissectors, and a heap overflow vulnerability in the SOCKS
protocol dissector, which could cause Ethereal to crash or to execute
arbitrary code.
A remote attacker could craft a malformed packet which would cause Ethereal
to crash or run arbitrary code with the permissions of the user running
Ethereal.
There is no known workaround at this time, other than to disable the GTP,
ISAKMP, MEGACO, and SOCKS protocol dissectors.
It is recommended that all Gentoo Linux users who are running
net-analyzer/ethereal 0.9.x upgrade:
# emerge sync
# emerge -pv '>=net-analyzer/ethereal-0.9.16'
# emerge '>=net-analyzer/ethereal-0.9.16'
# emerge clean
glibc contains a buffer overflow in the getgrouplist function.
glibc is the GNU C library.
A bug in the getgrouplist function can cause a buffer overflow if the size
of the group list is too small to hold all the user's groups. This overflow
can cause segmentation faults in user applications. This vulnerability
exists only when an administrator has placed a user in a number of groups
larger than that expected by an application.
Applications that use getgrouplist can crash.
There is no known workaround at this time.
It is recommended that all Gentoo Linux users update their systems as
follows:
# emerge sync
# emerge -pv '>=sys-libs/glibc-2.2.5'
# emerge '>=sys-libs/glibc-2.2.5'
# emerge clean
phpSysInfo contains two vulnerabilities that can allow arbitrary code
execution and local directory traversal.
phpSysInfo is a PHP system information tool.
phpSysInfo contains two vulnerabilities which could allow local files to be
read or arbitrary PHP code to be executed, under the privileges of the web
server process.
An attacker could read local files or execute arbitrary code with the
permissions of the user running the host web server.
There is no known workaround at this time.
It is recommended that all Gentoo Linux users who are running
www-apps/phpsysinfo upgrade to the fixed version:
# emerge sync
# emerge -pv '>=www-apps/phpsysinfo-2.1-r1'
# emerge '>=www-apps/phpsysinfo-2.1-r1'
# emerge clean
Libnids contains a bug which could allow remote code execution.
Libnids is a component of a network intrusion detection system.
There is a bug in the part of libnids code responsible for TCP reassembly.
The flaw probably allows remote code execution.
A remote attacker could possibly execute arbitrary code.
There is no known workaround at this time.
It is recommended that all Gentoo Linux users who are running
net-libs/libnids update their systems as follows:
# emerge sync
# emerge -pv '>=net-libs/libnids-1.18'
# emerge '>=net-libs/libnids-1.18'
# emerge clean
A server in the rsync.gentoo.org rotation was compromised.
The rsync.gentoo.org rotation of servers provides an up to date Portage
tree using the rsync file transfer protocol.
On December 2nd at approximately 03:45 UTC, one of the servers that makes up
the rsync.gentoo.org rotation was compromised via a remote exploit. At this
point, we are still performing forensic analysis. However, the compromised
system had both an IDS and a file integrity checker installed and we have a
very detailed forensic trail of what happened once the box was breached, so
we are reasonably confident that the portage tree stored on that box was
unaffected.
The attacker appears to have installed a rootkit and modified/deleted some
files to cover their tracks, but left the server otherwise untouched. The
box was in a compromised state for approximately one hour before it was
discovered and shut down. During this time, approximately 20 users
synchronized against the portage mirror stored on this box. The method used
to gain access to the box remotely is still under investigation. We will
release more details once we have ascertained the cause of the remote
exploit.
This box is not an official Gentoo infrastructure box and is instead donated
by a sponsor. The box provides other services as well and the sponsor has
requested that we not publicly identify the box at this time. Because the
Gentoo part of this box appears to be unaffected by this exploit, we are
currently honoring the sponsor's request. That said, if at any point, we
determine that any file in the portage tree was modified in any way, we will
release full details about the compromised server.
There is no known impact at this time.
There is no known workaround at this time.
Again, based on the forensic analysis done so far, we are reasonably
confident that no files within the Portage tree on the box were affected.
However, the server has been removed from all rsync.*.gentoo.org rotations
and will remain so until the forensic analysis has been completed and the
box has been wiped and rebuilt. Thus, users preferring an extra level of
security may ensure that they have a correct and accurate portage tree by
running:
# emerge sync
Which will perform a sync against another server and ensure that all files
are up to date.
rsync contains a heap overflow vulnerability that can be used to execute
arbitrary code.
rsync is a popular file transfer package used to synchronize the Portage
tree.
Rsync version 2.5.6 contains a vulnerability that can be used to run
arbitrary code. The Gentoo infrastructure team has some reasonably good
forensic evidence that this exploit may have been used in combination with
the Linux kernel do_brk() vulnerability (see GLSA 200312-02) to exploit a
rsync.gentoo.org rotation server (see GLSA-200312-01.)
Please see http://lwn.net/Articles/61541/ for the security advisory released
by the rsync development team.
A remote attacker could execute arbitrary code with the permissions of the
root user.
There is no known workaround at this time.
To address this vulnerability, all Gentoo users should read GLSA-200312-02
and ensure that all systems are upgraded to a version of the Linux kernel
without the do_brk() vulnerability, and upgrade to version 2.5.7 of rsync:
# emerge sync
# emerge -pv '>=net-misc/rsync-2.5.7'
# emerge '>=net-misc/rsync-2.5.7'
# emerge clean
Review your /etc/rsync/rsyncd.conf configuration file; ensure that the use
chroot="no" command is commented out or removed, or change use chroot="no"
to use chroot="yes". Then, if necessary, restart rsyncd:
# /etc/init.d/rsyncd restart
A bug in cvs could allow attempts to create files and directories outside a
repository.
CVS, which stands for Concurrent Versions System, is a client/server
application which tracks changes to sets of files. It allows multiple users
to work concurrently on files, and then merge their changes back into the
main tree (which can be on a remote system). It also allows branching, or
maintaining separate versions for files.
Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=84:
"Stable CVS 1.11.10 has been released. Stable releases contain only bug
fixes from previous versions of CVS. This release fixes a security issue
with no known exploits that could cause previous versions of CVS to attempt
to create files and directories in the filesystem root. This release also
fixes several issues relevant to case insensitive filesystems and some other
bugs. We recommend this upgrade for all CVS clients and servers!"
Attempts to create files and directories outside the repository may be
possible.
There is no known workaround at this time.
All Gentoo Linux machines with cvs installed should be updated to use
dev-util/cvs-1.11.10 or higher:
# emerge sync
# emerge -pv '>=dev-util/cvs-1.11.10'
# emerge '>=dev-util/cvs-1.11.10'
# emerge clean
A bug in GnuPG allows ElGamal signing keys to be compromised, and a format
string bug in the gpgkeys_hkp utility may allow arbitrary code execution.
GnuPG is a popular open source signing and encryption tool.
Two flaws have been found in GnuPG 1.2.3.
First, ElGamal signing keys can be compromised. These keys are not commonly
used, but this is "a significant security failure which can lead to a
compromise of almost all ElGamal keys used for signing. Note that this is a
real world vulnerability which will reveal your private key within a few
seconds".
Second, there is a format string flaw in the 'gpgkeys_hkp' utility which
"would allow a malicious keyserver in the worst case to execute an arbitrary
code on the user's machine."
If you have used ElGamal keys for signing your private key can be
compromised, and a malicious keyserver could remotely execute arbitrary code
with the permissions of the user running gpgkeys_hkp.
There is no known workaround at this time.
All users who have created ElGamal signing keys should immediately revoke
them. In addition, all Gentoo Linux machines with gnupg installed should be
updated to use gnupg-1.2.3-r5 or higher:
# emerge sync
# emerge -pv '>=app-crypt/gnupg-1.2.3-r5'
# emerge '>=app-crypt/gnupg-1.2.3-r5'
# emerge clean
A bug in XChat could allow malformed dcc send requests to cause a denial of
service.
XChat is a multiplatform IRC client.
There is a remotely exploitable bug in XChat 2.0.6 that could lead to a
denial of service attack. Gentoo wishes to thank lloydbates for discovering
this bug, as well as jcdutton and rac for submitting patches to fix the bug.
A malformed DCC packet sent by a remote attacker can cause XChat to crash.
There is no known workaround at this time.
For Gentoo users, xchat-2.0.6 was marked ~arch (unstable) for most
architectures. Since it was never marked as stable in the portage tree,
only xchat users who have explictly added the unstable keyword to
ACCEPT_KEYWORDS are affected. Users may updated affected machines to the
patched version of xchat using the following commands:
# emerge sync
# emerge -pv '>=net-irc/xchat-2.0.6-r1'
# emerge '>=net-irc/xchat-2.0.6-r1'
# emerge clean
This assumes that users are running with ACCEPT_KEYWORDS enabled for their
architecture.
Two buffer overflow problems are found in lftp that, in case the user visits
a malicious ftp server, could lead to malicious code being executed.
lftp is a multithreaded command-line based FTP client. It allows you to
execute multiple commands simultaneously or in the background. If features
mirroring capabilities, resuming downloads, etc.
Two buffer overflows exist in lftp. Both can occur when the user connects to
a malicious web server using the HTTP or HTTPS protocol and issues lftp's
"ls" or "rels" commands.
Ulf Harnhammar explains:
Technically, the problem lies in the file src/HttpDir.cc and the
functions try_netscape_proxy() and try_squid_eplf(), which both
have sscanf() calls that take data of an arbitrary length and
store it in a char array with 32 elements. (Back in version 2.3.0,
the problematic code was located in some other function, but the
problem existed back then too.) Depending on the HTML document in the
specially prepared directory, buffers will be overflown in either one
function or the other.
When a user issues "ls" or "rels" on a malicious server, the tftp
application can be tricked into running arbitrary code on the user his
machine.
There is no workaround available.
All Gentoo users who have net-ftp/lftp installed should update to use
version 2.6.0 or higher using these commands:
# emerge sync
# emerge -pv '>=net-ftp/lftp-2.6.10'
# emerge '>=net-ftp/lftp-2.6.10'
# emerge clean
A possible root compromise exists for CVS pservers.
CVS, which stands for Concurrent Versions System, is a client/server
application which tracks changes to sets of files. It allows multiple users
to work concurrently on files, and then merge their changes back into the
main tree (which can be on a remote system). It also allows branching, or
maintaining separate versions for files.
Quote from ccvs.cvshome.org/servlets/NewsItemView?newsID=88:
"Stable CVS 1.11.11 has been released. Stable releases contain only bug
fixes from previous versions of CVS. This release adds code to the CVS
server to prevent it from continuing as root after a user login, as an extra
failsafe against a compromise of the CVSROOT/passwd file. Previously, any
user with the ability to write the CVSROOT/passwd file could execute
arbitrary code as the root user on systems with CVS pserver access enabled.
We recommend this upgrade for all CVS servers!"
A remote user could execute arbitrary code with the permissions of the root
user.
There is no known workaround at this time.
All Gentoo Linux machines with cvs installed should be updated to use
cvs-1.11.11 or higher.
# emerge sync
# emerge -pv '>=dev-util/cvs-1.11.11'
# emerge '>=dev-util/cvs-1.11.11'
# emerge clean
A critical security vulnerability has been found in recent Linux kernels
which allows for local privelege escalation.
The Linux kernel is responsible for memory management in a working
system - to allow this, processes are allowed to allocate and unallocate
memory.
The memory subsystem allows for shrinking, growing, and moving of
chunks of memory along any of the allocated memory areas which the kernel
posesses.
A typical virtual memory area covers at least one memory page. An incorrect
bound check discovered inside the do_mremap() kernel code performing
remapping of a virtual memory area may lead to creation of a virtual memory
area of 0 bytes length.
The problem is based on the general mremap flaw that remapping 2 pages from
inside a VMA creates a memory hole of only one page in length but an
additional VMA of two pages. In the case of a zero sized remapping request
no VMA hole is created but an additional VMA descriptor of 0
bytes in length is created.
This advisory also addresses an information leak in the Linux RTC system.
Arbitrary code may be able to exploit this vulnerability and may
disrupt the operation of other
parts of the kernel memory management subroutines finally leading to
unexpected behavior.
Since no special privileges are required to use the mremap(2) system call
any process may misuse its unexpected behavior to disrupt the kernel memory
management subsystem. Proper exploitation of this vulnerability may lead to
local privilege escalation including execution of arbitrary code
with kernel level access.
Proof-of-concept exploit code has been created and successfully tested,
permitting root escalation on vulnerable systems. As a result, all users
should upgrade their kernels to new or patched versions.
There is no temporary workaround - a kernel upgrade is required. A list
of unaffected kernels is provided along with this announcement.
Users are encouraged to upgrade to the latest available sources for
their system:
$> emerge sync
$> emerge -pv your-favourite-sources
$> emerge your-favourite-sources
$> # Follow usual procedure for compiling and installing a kernel.
$> # If you use genkernel, run genkernel as you would do normally.
$> # IF YOUR KERNEL IS MARKED as "remerge required!" THEN
$> # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE
$> # REPORTS THAT THE SAME VERSION IS INSTALLED.
Identification of Honeyd installations allows an adversary to launch
attacks specifically against Honeyd. No remote root exploit is currently
known.
Honeyd is a virtual honeypot daemon that can simulate virtual hosts on
unallocated IP addresses.
A bug in handling NMAP fingerprints caused Honeyd to reply to TCP
packets with both the SYN and RST flags set. Watching for replies, it is
possible to detect IP addresses simulated by Honeyd.
Although there are no public exploits known for Honeyd, the detection
of Honeyd IP addresses may in some cases be undesirable.
Honeyd 0.8 has been released along with an advisory to address this
issue. In addition, Honeyd 0.8 drops privileges if permitted by the
configuration file and contains command line flags to force dropping
of privileges.
All users are recommended to update to honeyd version 0.8:
$> emerge sync
$> emerge -pv ">=net-analyzer/honeyd-0.8"
$> emerge ">=net-analyzer/honeyd-0.8"
Apache's mod_python module could crash the httpd process if a specific,
malformed query string was sent.
Mod_python is an Apache module that embeds the Python interpreter
within the server allowing Python-based web-applications to be
created.
The Apache Foundation has reported that mod_python may be prone to
Denial of Service attacks when handling a malformed
query. Mod_python 2.7.9 was released to fix the vulnerability,
however, because the vulnerability has not been fully fixed,
version 2.7.10 has been released.
Users of mod_python 3.0.4 are not affected by this vulnerability.
Although there are no known public exploits known for this
exploit, users are recommended to upgrade mod_python to ensure the
security of their infrastructure.
Mod_python 2.7.10 has been released to solve this issue; there is
no immediate workaround.
All users using mod_python 2.7.9 or below are recommended to
update their mod_python installation:
$> emerge sync
$> emerge -pv ">=www-apache/mod_python-2.7.10"
$> emerge ">=www-apache/mod_python-2.7.10"
$> /etc/init.d/apache restart
Various overflows in the handling of AIM DirectIM packets was revealed in
GAIM that could lead to a remote compromise of the IM client.
Gaim is a multi-platform and multi-protocol instant messaging
client. It is compatible with AIM , ICQ, MSN Messenger, Yahoo,
IRC, Jabber, Gadu-Gadu, and the Zephyr networks.
Yahoo changed the authentication methods to their IM servers,
rendering GAIM useless. The GAIM team released a rushed release
solving this issue, however, at the same time a code audit
revealed 12 new vulnerabilities.
Due to the nature of instant messaging many of these bugs require
man-in-the-middle attacks between the client and the server. But
the underlying protocols are easy to implement and attacking
ordinary TCP sessions is a fairly simple task. As a result, all
users are advised to upgrade their GAIM installation.
Users of GAIM 0.74 or below are affected by 7 of the
vulnerabilities and are encouraged to upgrade.
Users of GAIM 0.75 are affected by 11 of the vulnerabilities
and are encouraged to upgrade to the patched version of GAIM
offered by Gentoo.
Users of GAIM 0.75-r6 are only affected by
4 of the vulnerabilities, but are still urged to upgrade to
maintain security.
There is no immediate workaround; a software upgrade is required.
All users are recommended to upgrade GAIM to 0.75-r7.
$> emerge sync
$> emerge -pv ">=net-im/gaim-0.75-r7"
$> emerge ">=net-im/gaim-0.75-r7"
If the server configuration "php.ini" file has
"register_globals = on" and a request is made to one virtual host
(which has "php_admin_flag register_globals off") and the next
request is sent to the another virtual host (which does not have the
setting) global variables may leak and may be used to exploit the
site.
PHP is a widely-used general-purpose scripting language that is
especially suited for Web development and can be embedded into HTML.
If the server configuration "php.ini" file has
"register_globals = on" and a request is made to one virtual host
(which has "php_admin_flag register_globals off") and the next
request is sent to the another virtual host (which does not have the
setting) through the same apache child, the setting will persist.
Depending on the server and site, an attacker may be able to exploit
global variables to gain access to reserved areas, such as MySQL passwords,
or this vulnerability may simply cause a lack of functionality. As a
result, users are urged to upgrade their PHP installations.
Gentoo ships PHP with "register_globals" set to "off"
by default.
This issue affects both servers running Apache 1.x and servers running
Apache 2.x.
No immediate workaround is available; a software upgrade is required.
All users are recommended to upgrade their PHP installation to 4.3.4-r4:
# emerge sync
# emerge -pv ">=dev-php/mod_php-4.3.4-r4"
# emerge ">=dev-php/mod_php-4.3.4-r4"
Exploitation of a buffer overflow in the XFree86 Project Inc.'s XFree86 X
Window System allows local attackers to gain root privileges.
XFree86, provides a client/server interface between display
hardware and the desktop environment while also providing both the
windowing infrastructure and a standardized API. XFree86 is
platform independent, network-transparent and extensible.
Exploitation of a buffer overflow in The XFree86 Window System
discovered by iDefence allows local attackers to gain root
privileges.
The problem exists in the parsing of the 'font.alias' file. The X
server (running as root) fails to check the length of the user
provided input, so a malicious user may craft a malformed
'font.alias' file causing a buffer overflow upon parsing,
eventually leading to the execution of arbitrary code.
To reproduce the overflow on the command line one can run:
# cat > fonts.dir <<EOF
1
word.bdf -misc-fixed-medium-r-semicondensed--13-120-75-75-c-60-iso8859-1
EOF
# perl -e 'print "0" x 1024 . "A" x 96 . "\n"' > fonts.alias
# X :0 -fp $PWD
{Some output removed}... Server aborting... Segmentation fault (core dumped)
Successful exploitation can lead to a root compromise provided
that the attacker is able to execute commands in the X11
subsystem. This can be done either by having console access to the
target or through a remote exploit against any X client program
such as a web-browser, mail-reader or game.
No immediate workaround is available; a software upgrade is required.
Gentoo has released XFree 4.2.1-r3, 4.3.0-r4 and 4.3.99.902-r1 and
encourages all users to upgrade their XFree86
installations. Vulnerable versions are no longer available in
Portage.
All users are recommended to upgrade their XFree86 installation:
# emerge sync
# emerge -pv x11-base/xfree
# emerge x11-base/xfree
XFree86 Font Information File Buffer Overflow
A bug in get_real_string() function allows for a Denial of Service attack to be
launched against the webserver.
The Monkey HTTP daemon is a Web server written in C that works
under Linux and is based on the HTTP/1.1 protocol. It aims to develop
a fast, efficient and small web server.
A bug in the URI processing of incoming requests allows for a Denial of
Service to be launched against the webserver, which may cause the server
to crash or behave sporadically.
Although there are no public exploits known for bug, users are recommended
to upgrade to ensure the security of their infrastructure.
There is no immediate workaround; a software upgrade is
required. The vulnerable function in the code has been rewritten.
All users are recommended to upgrade monkeyd to 0.8.2:
# emerge sync
# emerge -pv ">=www-servers/monkeyd-0.8.2"
# emerge ">=www-servers/monkeyd-0.8.2"
The Gallery developers have discovered a potentially serious security flaw
in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 which can allow a
remote exploit of your webserver.
Gallery is an open source image management system written in PHP.
More information is available at http://gallery.sourceforge.net
Starting in the 1.3.1 release, Gallery includes code to simulate the behaviour
of the PHP 'register_globals' variable in environments where that setting
is disabled. It is simulated by extracting the values of the various
$HTTP_ global variables into the global namespace.
A crafted URL such as
http://example.com/gallery/init.php?HTTP_POST_VARS=xxx causes the
'register_globals' simulation code to overwrite the $HTTP_POST_VARS which,
when it is extracted, will deliver the given payload. If the
payload compromises $GALLERY_BASEDIR then the malicious user can perform a
PHP injection exploit and gain remote access to the webserver with PHP
user UID access rights.
The workaround for the vulnerability is to replace init.php and
setup/init.php with the files in the following ZIP file:
http://prdownloads.sourceforge.net/gallery/patch_1.4.1-to-1.4.1-pl1.zip?download
All users are encouraged to upgrade their gallery installation:
# emerge sync
# emerge -p ">=www-apps/gallery-1.4.1_p1"
# emerge ">=www-apps/gallery-1.4.1_p1"
A vulnerability in phpMyAdmin which was not properly verifying user
generated input could lead to a directory traversal attack.
phpMyAdmin is a tool written in PHP intended to handle the administration
of MySQL databased over the Web.
One component of the phpMyAdmin software package (export.php) does not
properly verify input that is passed to it from a remote user. Since the
input is used to include other files, it is possible to launch a directory
traversal attack.
Private information could be gleaned from the remote server if an attacker
uses a malformed URL such as http://phpmyadmin.example.com/export.php?what=../../../[existing_file]
In this scenario, the script does not sanitize the "what" argument passed
to it, allowing directory traversal attacks to take place, disclosing
the contents of files if the file is readable as the web-server user.
The workaround is to either patch the export.php file using the
referenced CVS patch or upgrade the software via Portage.
Users are encouraged to upgrade to phpMyAdmin-2.5.6_rc1:
# emerge sync
# emerge -pv ">=dev-db/phpmyadmin-2.5.6_rc1"
# emerge ">=dev-db/phpmyadmin-2.5.6_rc1"
# emerge clean
A vulnerability has been discovered by in the ptrace emulation code for
AMD64 platforms when eflags are processed, allowing a local user to obtain
elevated priveleges.
A vulnerability has been discovered by Andi Kleen in the ptrace emulation
code for AMD64 platforms when eflags are processed, allowing a local user
to obtain elevated priveleges. The Common Vulnerabilities and Exposures
project, http://cve.mitre.org, has assigned CAN-2004-0001 to this issue.
Only users of the AMD64 platform are affected: in this scenario, a user may
be able to obtain elevated priveleges, including root access. However, no
public exploit is known for the vulnerability at this time.
There is no temporary workaround - a kernel upgrade is required. A list of
unaffected kernels is provided along with this announcement.
Users are encouraged to upgrade to the latest available sources for
their system:
# emerge sync
# emerge -pv your-favourite-sources
# emerge your-favourite-sources
# # Follow usual procedure for compiling and installing a kernel.
# # If you use genkernel, run genkernel as you would do normally.
# # IF YOUR KERNEL IS MARKED as "remerge required!" THEN
# # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE
# # REPORTS THAT THE SAME VERSION IS INSTALLED.
Oliver Eikemeier has reported a vulnerability in Clam AV, which can be
exploited by a malformed uuencoded message causing a denial of service for
programs that rely on the clamav daemon, such as SMTP daemons.
Clam AntiVirus is a GPLed anti-virus toolkit, designed for integration with
mail servers to perform attachment scanning. Clam AV also provides a
command line scanner and a tool for fetching updates of the virus database.
Oliver Eikemeier of Fillmore Labs discovered the overflow in Clam AV 0.65
when it handled malformed UUEncoded messages, causing the daemon to shut
down.
The problem originated in libclamav which calculates the line length of an
uuencoded message by taking the ASCII value of the first character minus 64
while doing an assertion if the length is not in the allowed range,
effectively terminating the calling program as clamav would not be
available.
A malformed message would cause a denial of service,
and depending on the server configuration this may impact other daemons
relying on Clam AV in a fatal manner.
There is no immediate workaround, a software upgrade is required.
All users are urged to upgrade their Clam AV installations to Clam AV 0.67:
# emerge sync
# emerge -pv ">=app-antivirus/clamav-0.6.7"
# emerge ">=app-antivirus/clamav-0.6.7"
A buffer overflow has been discovered in libxml2 versions prior to
2.6.6 which may be exploited by an attacker allowing the execution of
arbitrary code.
Yuuichi Teranishi discovered a flaw in libxml2 versions prior to 2.6.6.
When the libxml2 library fetches a remote resource via FTP or HTTP, libxml2
uses parsing routines that can overflow a buffer caused by improper bounds
checking if they are passed a URL longer than 4096 bytes.
If an attacker is able to exploit an application using libxml2 that parses
remote resources, then this flaw could be used to execute arbitrary code.
No workaround is available; users are urged to upgrade libxml2 to 2.6.6.
All users are recommended to upgrade their libxml2 installation:
# emerge sync
# emerge -pv ">=dev-libs/libxml2-2.6.6"
# emerge ">=dev-libs/libxml2-2.6.6"
A critical security vulnerability has been found in recent Linux kernels by
Paul Starzetz of iSEC Security Research which allows for local privilege
escalations.
The Linux kernel is responsible for memory management in a working
system - to allow this, processes are allowed to allocate and
unallocate memory.
The memory subsystem allows for shrinking, growing, and moving of
chunks of memory along any of the allocated memory areas which the
kernel posesses.
To accomplish this, the do_mremap code calls the do_munmap() kernel
function to remove any old memory mappings in the new location - but,
the code doesn't check the return value of the do_munmap() function
which may fail if the maximum number of available virtual memory area
descriptors has been exceeded.
Due to the missing return value check after trying to unmap the middle
of the first memory area, the corresponding page table entries from the
second new area are inserted into the page table locations described by
the first old one, thus they are subject to page protection flags of
the first area. As a result, arbitrary code can be executed.
Arbitrary code with normal non-super-user privelerges may be able to
exploit this vulnerability and may disrupt the operation of other parts
of the kernel memory management subroutines finally leading to
unexpected behavior.
Since no special privileges are required to use the mremap() and
mummap() system calls any process may misuse this unexpected behavior
to disrupt the kernel memory management subsystem. Proper exploitation
of this vulnerability may lead to local privilege escalation allowing
for the execution of arbitrary code with kernel level root access.
Proof-of-concept exploit code has been created and successfully tested,
permitting root escalation on vulnerable systems. As a result, all
users should upgrade their kernels to new or patched versions.
Users who are unable to upgrade their kernels may attempt to use
"sysctl -w vm.max_map_count=1000000", however, this is a temporary fix
which only solves the problem by increasing the number of memory areas
that can be created by each process. Because of the static nature of
this workaround, it is not recommended and users are urged to upgrade
their systems to the latest avaiable patched sources.
Users are encouraged to upgrade to the latest available sources for
their system:
# emerge sync
# emerge -pv your-favourite-sources
# emerge your-favourite-sources
# # Follow usual procedure for compiling and installing a kernel.
# # If you use genkernel, run genkernel as you would do normally.
# # IF YOUR KERNEL IS MARKED as "remerge required!" THEN
# # YOU SHOULD UPDATE YOUR KERNEL EVEN IF PORTAGE
# # REPORTS THAT THE SAME VERSION IS INSTALLED.
koon
Three vulnerabilities have been found in OpenSSL via a commercial test
suite for the TLS protocol developed by Codenomicon Ltd.
The OpenSSL Project is a collaborative effort to develop a robust,
commercial-grade, full-featured, and Open Source toolkit implementing
the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS
v1) protocols as well as a full-strength general purpose cryptography
library.
Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a null-pointer assignment in the do_change_cipher_spec()
function. A remote attacker could perform a carefully crafted SSL/TLS
handshake against a server that used the OpenSSL library in such a way
as to cause OpenSSL to crash. Depending on the application this could
lead to a denial of service. All versions of OpenSSL from 0.9.6c to
0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by
this issue.
A flaw has been discovered in SSL/TLS handshaking code when using
Kerberos ciphersuites. A remote attacker could perform a carefully
crafted SSL/TLS handshake against a server configured to use Kerberos
ciphersuites in such a way as to cause OpenSSL to crash. Most
applications have no ability to use Kerberos cipher suites and will
therefore be unaffected. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL
are affected by this issue.
Testing performed by the OpenSSL group using the Codenomicon TLS Test
Tool uncovered a bug in older versions of OpenSSL 0.9.6 that can lead
to a Denial of Service attack (infinite loop). This issue was traced to
a fix that was added to OpenSSL 0.9.6d some time ago. This issue will
affect vendors that ship older versions of OpenSSL with backported
security patches.
Although there are no public exploits known for bug, users are
recommended to upgrade to ensure the security of their infrastructure.
There is no immediate workaround; a software upgrade is required. The
vulnerable function in the code has been rewritten.
All users are recommened to upgrade openssl to either 0.9.7d or 0.9.6m:
# emerge sync
# emerge -pv ">=dev-libs/openssl-0.9.7d"
# emerge ">=dev-libs/openssl-0.9.7d"
DerCorny
A memory leak in mod_ssl allows a remote denial of service attack against
an SSL-enabled server via plain HTTP requests. Another flaw was found when
arbitrary client-supplied strings can be written to the error log, allowing
the exploit of certain terminal emulators. A third flaw exists with the
mod_disk_cache module.
The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems. The goal of this
project is to provide a secure, efficient and extensible server that
provides services in tune with the current HTTP standards.
Three vulnerabilities were found:
A memory leak in ssl_engine_io.c for mod_ssl in Apache 2.0.48 and below
allows remote attackers to cause a denial of service attack via plain
HTTP requests to the SSL port of an SSL-enabled server.
Apache fails to filter terminal escape sequences from error logs that
begin with the ASCII (0x1B) sequence and are followed by a series of
arguments. If a remote attacker could inject escape sequences into an
Apache error log, the attacker could take advantages of weaknesses in
various terminal emulators, launching attacks against remote users
including further denial of service attacks, file modification, and the
execution of arbitrary commands.
The Apache mod_disk_cache has been found to be vulnerable to a weakness
that allows attackers to gain access to authentication credentials
through the issue of caching HTTP hop-by-hop headers which would
contain plaintext user passwords. There is no available resolution for
this issue yet.
No special privileges are required for these vulnerabilities. As a
result, all users are recommended to upgrade their Apache
installations.
There is no immediate workaround; a software upgrade is required. There
is no workaround for the mod_disk_cache issue; users are recommended to
disable the feature on their servers until a patched version is
released.
Users are urged to upgrade to Apache 2.0.49:
# emerge sync
# emerge -pv ">=www-servers/apache-2.0.49"
# emerge ">=www-servers/apache-2.0.49"
# ** IMPORTANT **
# If you are migrating from Apache 2.0.48-r1 or earlier versions,
# it is important that the following directories are removed.
# The following commands should cause no data loss since these
# are symbolic links.
# rm /etc/apache2/lib /etc/apache2/logs /etc/apache2/modules
# rm /etc/apache2/modules
# ** ** ** ** **
# ** ALSO NOTE **
# Users who use mod_disk_cache should edit their Apache
# configuration and disable mod_disk_cache.
DerCorny
A specially-crafted MIME file (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe
extensions) may cause UUDeview to crash or execute arbitrary code.
UUDeview is a program which is used to transmit binary files over the
Internet in a text-only format. It is commonly used for email and Usenet
attachments. It supports multiple encoding formats, including Base64,
BinHex and UUEncoding.
By decoding a MIME archive with excessively long strings for various
parameters, it is possible to crash UUDeview, or cause it to execute
arbitrary code.
This vulnerability was originally reported by iDEFENSE as part of a WinZip
advisory [ Reference: 1 ].
An attacker could create a specially-crafted MIME file and send it via
email. When recipient decodes the file, UUDeview may execute arbitrary code
which is embedded in the MIME file, thus granting the attacker access to
the recipient's account.
There is no known workaround at this time. As a result, a software upgrade
is required and users should upgrade to uudeview 0.5.20.
All users should upgrade to uudeview 0.5.20:
# emerge sync
# emerge -pv ">=app-text/uudeview-0.5.20"
# emerge ">=app-text/uudeview-0.5.20"
Remote buffer overflow vulnerabilites have been found in Courier-IMAP and
Courier MTA. These exploits may allow the execution of abritrary code,
allowing unauthorized access to a vulnerable system.
Courier MTA is a multiprotocol mail server suite that provides webmail,
mailing lists, IMAP, and POP3 services. Courier-IMAP is a standalone server
that gives IMAP access to local mailboxes.
The vulnerabilities have been found in the 'SHIFT_JIS' converter in
'shiftjis.c' and 'ISO2022JP' converter in 'so2022jp.c'. An attacker may
supply Unicode characters that exceed BMP (Basic Multilingual Plane) range,
causing an overflow.
An attacker without privileges may exploit this vulnerability remotely, allowing arbitrary code to be executed in order to gain unauthorized access.
While a workaround is not currently known for this issue, all users are
advised to upgrade to the latest version of the affected packages.
All users should upgrade to current versions of the affected packages:
# emerge sync
# emerge -pv ">=net-mail/courier-imap-3.0.0"
# emerge ">=net-mail/courier-imap-3.0.0"
# ** Or; depending on your installation... **
# emerge -pv ">=mail-mta/courier-0.45"
# emerge ">=mail-mta/courier-0.45"
There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3, including:
Mulitple overflows and vulnerabilities exist in Ethereal which may allow an
attacker to crash the program or run arbitrary code.
Quote from http://www.ethereal.com
"Ethereal is used by network professionals around the world for
troubleshooting, analysis, software and protocol development, and
education. It has all of the standard features you would expect in a
protocol analyzer, and several features not seen in any other product. Its
open source license allows talented experts in the networking community to
add enhancements. It runs on all popular computing platforms, including
Unix, Linux, and Windows."
These vulnerabilities may cause Ethereal to crash or may allow an attacker
to run arbitrary code on the user's computer.
While a workaround is not currently known for this issue, all users are
advised to upgrade to the latest version of the affected package.
All users should upgrade to the current version of the affected package:
# emerge sync
# emerge -pv ">=net-analyzer/ethereal-0.10.3"
# emerge ">=net-analyzer/ethereal-0.10.3"
A remotely-exploitable overflow exists in oftpd, allowing an attacker to
crash the oftpd daemon.
Quote from
.org/oftpd/
"oftpd is designed to be as secure as an anonymous FTP server can
possibly be. It runs as non-root for most of the time, and uses the
Unix chroot() command to hide most of the systems directories from
external users - they cannot change into them even if the server is
totally compromised! It contains its own directory change code, so that
it can run efficiently as a threaded server, and its own directory
listing code (most FTP servers execute the system "ls" command to list
files)."
Issuing a port command with a number higher than 255 causes the server
to crash. The port command may be issued before any authentication
takes place, meaning the attacker does not need to know a valid
username and password in order to exploit this vulnerability.
This exploit causes a denial of service.
While a workaround is not currently known for this issue, all users are
advised to upgrade to the latest version of the affected package.
All users should upgrade to the current version of the affected
package:
# emerge sync
# emerge -pv ">=net-ftp/oftpd-0.3.7"
# emerge ">=net-ftp/oftpd-0.3.7"
DerCorny
A remotely-exploitable buffer overflow in Midnight Commander allows
arbitrary code to be run on a user's computer
Midnight Commander is a visual file manager.
A stack-based buffer overflow has been found in Midnight Commander's
virtual filesystem.
This overflow allows an attacker to run arbitrary code on the user's
computer during t