PLUG into Linux News Newsletter of the Peterborough Linux User Group April 2003

To start pageTo NewsletterGo to Memberhip InfoGet Linux CDsTo other articlesTo Meeting LogsTo Software PicksContact Us

Template

GLUE member

 

Security Watch

Compiled by Jason Wallwork

 

First, some words on how I compile this list. I'm subscribed to the vendor security lists of Mandrake, Red Hat, SuSE and Debian. I also get a weekly Linux security newsletter and I browse Bugtraq's Security list and the CVE list as often as I can. I then find the exploits that affect the most Linux distributions, and find the best "plain English" explanations of the security problem or at least those that don't use programming language terms.

There were so many patches released last month, I decided to just focus on the ones that probably would affect every Linux desktop user. Thus, you won't see anything about the several holes patched in sendmail, qpopper, Kerberos or squirrelmail. That still left about 8 patches. There were also patches for Evolution, eterm, and rxvt -- something I haven't seen in a while. Here's info on the eight remaining, almost all of which affect most distributions. Many also affect OpenBSD, FreeBSD and NetBSD.

kernel -- March 13

CAN-2003-0127

The Linux kernel handles the basic functions of the operating system. A vulnerability has been found in version 2.4.18 of the kernel. This vulnerability makes it possible for local users to gain elevated (root) privileges without authorization.

mutt -- March 13

CAN-2003-0140

 A vulnerability was discovered in the mutt text-mode email client in the IMAP code. This vulnerability can be exploited by a malicious IMAP server to crash mutt or even execute arbitrary code with the privilege of the user running mutt.

vnc -- March 17

CAN-2002-1511

VNC is a tool for providing a remote graphical user interface. Two vulnerabilities have been found in VNC. The VNC server acts as an X server, but the script for starting it generates an MIT X cookie (which is used for X authentication) without using a strong enough random number generator.  This could allow an attacker to be able to more easily guess the authentication cookie.

glibc -- March 19

CAN-2003-0028

The glibc package contains standard libraries that are used by multiple programs on the system. Sun RPC is a remote procedure call framework that allows clients to invoke procedures in a server process over a network. XDR is a mechanism for encoding data structures for use with RPC. Glibc contains an XDR encoder/decoder derived from Sun's RPC implementation, which was demonstrated to be vulnerable to an integer overflow.

An integer overflow is present in the xdrmem_getbytes() function of glibc 2.3.1 and earlier. Depending upon the application, this vulnerability could cause buffer overflows and may be exploitable leading to arbitrary code execution.

Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CAN-2002-0391.

samba -- March 17

CAN-2003-0085

Samba is a suite of utilities which provides file and printer sharing services to SMB/CIFS clients.

Sebastian Krahmer discovered a security vulnerability present in unpatched versions of Samba prior to 2.2.8. An anonymous user could use the vulnerability to gain root access on the target machine.

Additionally, a race condition could allow an attacker to overwrite critical system files.

zlib -- March 17

CAN-2003-0107

There is a buffer overflow in the gzprintf function in zlib that can enable attackers to cause a denial of service or possibly execute arbitrary code.

file -- March 17

CAN-2003-0102

The file command is used to identify a particular file according to the type of data contained in the file.

The file utility before version 3.41 contains a buffer overflow vulnerability in the ELF parsing routines. This vulnerability may allow an attacker to create a carefully crafted binary which can allow arbitrary code to be run if a victim runs the 'file' command on that binary.

There are other ways that an attacker may be able to take advantage of this vulnerability in the file command:

-- In Red Hat Linux 6.2 and 7.0, the rhs-printfilter package makes use of the file command. This would allow an attacker who has the ability to print to execute arbitrary commands (as the user 'lp') on the print server by sending a malicious file.

-- On some Red Hat distributions it may also be possible to trigger this exploit by encouraging the victim to use the 'less' command on a malicious file which is named so that it will be processed by the 'lesspipe.sh' script.

openssl -- March 17

CAN-2003-0147

OpenSSL is a commercial-grade, full-featured, open source toolkit that implements the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, and provides a full-strength general purpose cryptography library.

Researchers discovered a timing attack on RSA keys. Applications making use of OpenSSL are generally vulnerable to such an attack, unless RSA blinding has been turned on. OpenSSL does not use RSA blinding by default and most applications do not enable RSA blinding.

A local or remote attacker could use this attack to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms (Karatsuba and normal).

 

 

Previous article

Next article

 

 

 

©2003 Peterborough Linux User Group, All Rights Reserved. Logos and buttons are used by permission of their respective owners. PLUG can not be held liable for damages resulting from the use or misuse of the information at this website or from its members. Don't run with scissors.
 
Comments can be sent to Jason Wallwork, Webmaster.