Security Digest: January 27, 2005

Jan 28, 2005, 04:45 (0 Talkback[s])

Conectiva Linux

CONECTIVA LINUX SECURITY ANNOUNCEMENT

PACKAGE : squid
SUMMARY : Fixes for squid vulnerabilities
DATE : 2005-01-26 13:41:00
ID : CLA-2005:923
RELEVANT RELEASES : 9, 10

DESCRIPTION
Squid[1] is a full-featured web proxy cache.

This announcement adds the following patches to Squid:

1.Empty ACLs[2]
The meaning of the access controls becomes somewhat confusing if any of the referenced acls is declared empty, without any members.

2.Fakeauth_auth[3]
The NTLM fakeauth_auth helper has a memory leak that may cause it to run out of memory under high load, or if it runs for a very long time. Additionally, a malformed NTLM type 3 message could cause a segmentation violation.

3.LDAP spaces[4]
LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access controls or confusing accounting

4.Non blocking disk[5]
O_NONBLOCK on disk files is not is not standardized, and results may be unexpected. Linux now starts to add O_NONBLOCK support on disk files but the implementation is not complete yet and this bites Squid.

5.Gopher html parsing[6]
A malicious gopher server may return a response with very long lines that cause a buffer overflow in Squid.

6.WCCP denial of service[7]
WCCP_I_SEE_YOU messages contain a 'number of caches' field which should be between 1 and 32. Values outside that range may crash Squid if WCCP is enabled, and if an attacker can spoof UDP packets with the WCCP router's IP address.

7.SNMP core dump[8]
If certain malformed SNMP request is received Squid restarts with a Segmentation Fault error.

Additionally, this announcement increases the Squid's initscript timeout for waiting it to stop from 10 seconds to 35 seconds, avoiding problems with stuck connections.

SOLUTION
It is recommended that all squid users upgrade to the latest packages. This update will automatically restart the service if it is already running.

REFERENCES
1.http://squid.nlanr.net/
2.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls
3.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth
4.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces
5.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-non_blocking_disk
6.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing
7.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service
8.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

run: apt-get update
after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en

All packages are signed with Conectiva's GPG key. The key and instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en Instructions on how to check the signatures of the RPM packages can be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en

All our advisories and generic update instructions can be viewed at http://distro.conectiva.com.br/atualizacoes/?idioma=en

Debian GNU/Linux

Debian Security Advisory DSA 661-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
January 27th, 2005 http://www.debian.org/security/faq

Package : f2c
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0017 CAN-2005-0018

Javier FernÃ¡ndez-Sanguino PeÃ±a from the Debian Security Audit project discovered that f2c and fc, which are both part of the f2c package, a fortran 77 to C/C++ translator, open temporary files insecurely and are hence vulnerable to a symlink attack. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities:

CAN-2005-0017

Multiple insecure temporary files in the f2c translator.

CAN-2005-0018

Two insecure temporary files in the f2 shell script.

For the stable distribution (woody) these problems have been fixed in version 20010821-3.1

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your f2c package.

Upgrade Instructions

wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

Source archives:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1.dsc
Size/MD5 checksum: 519 c245d8c55d5bc7686fb424ba83ad33dc
http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1.diff.gz
Size/MD5 checksum: 28688 ae7f2dc8def540a029f796c6de397af1
http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821.orig.tar.gz
Size/MD5 checksum: 416017 f2527aed84c8db35c883615c3b9b8511

Alpha architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_alpha.deb
Size/MD5 checksum: 525056 a28714e82120e4a9a9ef97ff20fe719b

ARM architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_arm.deb
Size/MD5 checksum: 470448 4a35312c2a14b9c5c23a2af416896502

Intel IA-32 architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_i386.deb
Size/MD5 checksum: 423100 5e12281a52c42445bc984cb1045c739c

Intel IA-64 architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_ia64.deb
Size/MD5 checksum: 678778 e5b288c10fa245d283b51fdd00fbda6b

HP Precision architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_hppa.deb
Size/MD5 checksum: 493400 82cdc10d36587ce4fa14ab92878fa109

Motorola 680x0 architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_m68k.deb
Size/MD5 checksum: 407568 5fb83a199fb3469e01f2ac23172758b1

Big endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_mips.deb
Size/MD5 checksum: 483078 ff74d93993830d87c01b06b2667fbb72

Little endian MIPS architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_mipsel.deb
Size/MD5 checksum: 481644 7fa990a07b294c196dc3404efc2ce2d9

PowerPC architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_powerpc.deb
Size/MD5 checksum: 455606 2232d1ef2bebd4268598903994ab3e43

IBM S/390 architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_s390.deb
Size/MD5 checksum: 446322 50797aed670f8b85975335f9fd8cc6c2

Sun Sparc architecture:

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_sparc.deb
Size/MD5 checksum: 467154 284b8fa77e1706d235b77175c1fb1596

These files will probably be moved into the stable distribution on its next update.

For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200501-37

http://security.gentoo.org/

Severity: Normal
Title: GraphicsMagick: PSD decoding heap overflow
Date: January 26, 2005
Bugs: #79336
ID: 200501-37

Synopsis

GraphicsMagick is vulnerable to a heap overflow when decoding Photoshop Document (PSD) files, which could lead to arbitrary code execution.

Background

GraphicsMagick is a collection of tools to read, write and manipulate images in many formats. GraphicsMagick is originally derived from ImageMagick 5.5.2.

Affected packages

     Package                   /  Vulnerable  /             Unaffected

  1  media-gfx/graphicsmagick       < 1.1.5                   >= 1.1.5

Description

Andrei Nigmatulin discovered that handling a Photoshop Document (PSD) file with more than 24 layers in ImageMagick could trigger a heap overflow (GLSA 200501-26). GraphicsMagick is based on the same code and therefore suffers from the same flaw.

Impact

An attacker could potentially design a malicious PSD image file to cause arbitrary code execution with the permissions of the user running GraphicsMagick.

Workaround

There is no known workaround at this time.

Resolution

All GraphicsMagick users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.5"

References

[ 1 ] CAN-2005-0005

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

[ 2 ] GLSA 200501-26

http://www.gentoo.org/security/en/glsa/glsa-200501-26.xml

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-37.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at http://bugs.gentoo.org.

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200501-38

http://security.gentoo.org/

Severity: Normal
Title: Perl: rmtree and DBI tmpfile vulnerabilities
Date: January 26, 2005
Bugs: #78634, #75696
ID: 200501-38

Synopsis

The Perl DBI library and File::Path::rmtree function are vulnerable to symlink attacks.

Background

Perl is a cross platform programming language. The DBI is the standard database interface module for Perl.

Affected packages

     Package        /   Vulnerable   /                      Unaffected

  1  dev-perl/dbi         <= 1.38                          *>= 1.37-r1
                                                            >= 1.38-r1
  2  dev-lang/perl      <= 5.8.6-r1                        >= 5.8.6-r2
                                                          *>= 5.8.5-r3
                                                          *>= 5.8.4-r2
                                                          *>= 5.8.2-r2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

Javier Fernandez-Sanguino Pena discovered that the DBI library creates temporary files in an insecure, predictable way (CAN-2005-0077). Paul Szabo found out that "File::Path::rmtree" also handles temporary files insecurely (CAN-2004-0452).

Impact

A local attacker could create symbolic links in the temporary files directory that point to a valid file somewhere on the filesystem. When the DBI library or File::Path::rmtree is executed, this could be used to overwrite files with the rights of the user calling these functions.

Workaround

There are no known workarounds at this time.

Resolution

All Perl users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose dev-lang/perl

All DBI library users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose dev-perl/dbi

References

[ 1 ] CAN-2005-0077

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0077

[ 2 ] CAN-2004-0452

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-38.xml

Concerns?

License

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandrakelinux

Mandrakelinux Security Update Advisory

Package name: evolution
Advisory ID: MDKSA-2005:024
Date: January 27th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0

Problem Description:

Max Vozeler discovered an integer overflow in the camel-lock-helper application. This application is installed setgid mail by default. A local attacker could exploit this to execute malicious code with the privileges of the "mail" group; likewise a remote attacker could setup a malicious POP server to execute arbitrary code when an Evolution user connects to it.

The updated packages have been patched to prevent this problem.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0102

Updated Packages:

Mandrakelinux 10.0:
3397788a5d8a84d8fd1294225bdfa546 10.0/RPMS/evolution-1.4.6-5.1.100mdk.i586.rpm
0e2280ac393ca059ae4d19b3db8289ee 10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.i586.rpm
6d1f2aa61768f1cebeeb5454abbc4a67 10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.i586.rpm
cc0058793a3353fd9d420da898e42213 10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
2cbb561ccbd6a2a30c4830e4bdae4c17 amd64/10.0/RPMS/evolution-1.4.6-5.1.100mdk.amd64.rpm
35673a1c5f7c595930def4776bfeba12 amd64/10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.amd64.rpm
091ef5247fce276a0c8fffd3efd2d967 amd64/10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.amd64.rpm
cc0058793a3353fd9d420da898e42213 amd64/10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

Mandrakelinux 10.1:
0b3320cd8f1209071dbb38de3f5f4c62 10.1/RPMS/evolution-2.0.3-1.2.101mdk.i586.rpm
d7cf293651f49ef222da230f4ad3cb2d 10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.i586.rpm
89f0d1b662517cb0756eec458cd6c234 10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.i586.rpm
ee51751a3cabf18e53bd1e3092da3223 10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
984eae27bc6fbebcf32002ba61b17670 x86_64/10.1/RPMS/evolution-2.0.3-1.2.101mdk.x86_64.rpm
8bc7680f0095b4153a882716f8485daf x86_64/10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.x86_64.rpm
3db68c56395c13a3fe458645bb1c9975 x86_64/10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.x86_64.rpm
ee51751a3cabf18e53bd1e3092da3223 x86_64/10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

Corporate Server 3.0:
6a8867e05261d45f89ff09e9cb05ff31 corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.i586.rpm
a9a7a5c41a121178a2fffbff6a8764a3 corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.i586.rpm
4d6f9b339eb9cc545e9b562d8223fca8 corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.i586.rpm
854f366f4a1c868e905888a46d06603a corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm

Corporate Server 3.0/x86_64:
194f59a32369684d6642067924937dcd x86_64/corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.x86_64.rpm
79de9373078067bc09779afb01b2a2f1 x86_64/corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.x86_64.rpm
a050fc93565161d237e141feb014c9f1 x86_64/corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.x86_64.rpm
854f366f4a1c868e905888a46d06603a x86_64/corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>

Mandrakelinux Security Update Advisory

Package name: bind
Advisory ID: MDKSA-2005:023
Date: January 26th, 2005
Affected versions: 10.1

Problem Description:

A vulnerability was discovered in BIND version 9.3.0 where a remote attacker may be able to cause named to exit prematurely, causing a Denial of Service due to an incorrect assumption in the validator function authvalidated().

The updated packages have been patched to prevent this problem.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0034 http://www.kb.cert.org/vuls/id/938617

Updated Packages:

Mandrakelinux 10.1:
2c3b0b567b122b32672834813099ace9 10.1/RPMS/bind-9.3.0-3.1.101mdk.i586.rpm
f9e226057c52236b13631ffe032f6bc2 10.1/RPMS/bind-devel-9.3.0-3.1.101mdk.i586.rpm
e6a4b508f747a26af2e98d879cb1127e 10.1/RPMS/bind-utils-9.3.0-3.1.101mdk.i586.rpm
bcfc92436972a46b3788ec38edfd45d9 10.1/SRPMS/bind-9.3.0-3.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
1e497338a4c775afd571157c94b7a954 x86_64/10.1/RPMS/bind-9.3.0-3.1.101mdk.x86_64.rpm
9e61bddc45238b768bc2f93948a9024b x86_64/10.1/RPMS/bind-devel-9.3.0-3.1.101mdk.x86_64.rpm
17cf2955482bc6c3523b0123ca2010d9 x86_64/10.1/RPMS/bind-utils-9.3.0-3.1.101mdk.x86_64.rpm
bcfc92436972a46b3788ec38edfd45d9 x86_64/10.1/SRPMS/bind-9.3.0-3.1.101mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you.

All packages are signed by Mandrakesoft for security. You can obtain the GPG public key of the Mandrakelinux Security Team by executing:

gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team <security linux-mandrake.com>

Top White Papers

Subscribe to Our Daily Newsletter

Current Newswire:

More on LinuxToday

Security Digest: January 27, 2005

Conectiva Linux

Debian GNU/Linux

Gentoo Linux

Synopsis

Background

Affected packages

Description

Impact

Workaround

Resolution

References

Availability

Concerns?

License

Synopsis

Background

Affected packages

Description

Impact

Workaround

Resolution

References

Availability

Concerns?

License

Mandrakelinux