Package : bsmtpd
Vulnerability : missing input sanitising
Problem-Type : remote
Debian-specific: no
CVE ID : CAN-2005-0107
Bastian Blank a vulnerability in bsmtpd, a batched SMTP mailer for
sendmail and postfix. Unsanitised addresses can cause the execution
of arbitrary commands during alleged mail delivery.
For the stable distribution (woody) this problem has been fixed in
version 2.3pl8b-12woody1.
For the unstable distribution (sid) this problem has been fixed in
version 2.3pl8b-16.
We recommend that you upgrade your bsmtpd package.
Upgrade Instructions
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Product : Fedora Core 2
Name : gaim
Version : 1.1.4
Release : 0.FC2
Summary : A Gtk+ based multiprotocol instant messaging client
Description :
Gaim allows you to talk to anyone using a variety of messaging
protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!,
MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These
protocols are implemented using a modular, easy to use design.
To use a protocol, just add an account using the account editor.
Gaim supports many common features of other clients, as well as many
unique features, such as perl scripting and C plugins.
Gaim is NOT affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, or Yahoo! Inc. or other messaging service
providers.
Update Information:
This update resolves another DoS issue in parsing malformed HTML,
and a MSN related crash that folks were hitting often.
Thu Feb 24 2005 Warren Togami <wtogami@redhat.com> 1:1.1.4-0.FC2
FC2
Thu Feb 24 2005 Warren Togami <wtogami@redhat.com> 1:1.1.4-1
1.1.4 with MSN crash fix, g_stat() crash workaround
CAN-2005-0208 Gaim HTML parsing DoS (another one)
Tue Feb 22 2005 Warren Togami <wtogami@redhat.com> 1:1.1.3-4
Product : Fedora Core 3
Name : gaim
Version : 1.1.4
Release : 0.FC3
Summary : A Gtk+ based multiprotocol instant messaging client
Description :
Gaim allows you to talk to anyone using a variety of messaging
protocols, including AIM (Oscar and TOC), ICQ, IRC, Yahoo!,
MSN Messenger, Jabber, Gadu-Gadu, Napster, and Zephyr. These
protocols are implemented using a modular, easy to use design.
To use a protocol, just add an account using the account editor.
Gaim supports many common features of other clients, as well as many
unique features, such as perl scripting and C plugins.
Gaim is NOT affiliated with or endorsed by America Online, Inc.,
Microsoft Corporation, or Yahoo! Inc. or other messaging service
providers.
Update Information:
This update resolves another DoS issue in parsing malformed HTML,
and a MSN related crash that folks were hitting often.
Thu Feb 24 2005 Warren Togami <wtogami@redhat.com> 1:1.1.4-0.FC3
FC3
Thu Feb 24 2005 Warren Togami <wtogami@redhat.com> 1:1.1.4-1
1.1.4 with MSN crash fix, g_stat() crash workaround
CAN-2005-0208 Gaim HTML parsing DoS (another one)
Tue Feb 22 2005 Warren Togami <wtogami@redhat.com> 1:1.1.3-4
Updated kernel packages that fix several security issues are now
available.
The Linux kernel handles the basic functions of the operating system.
2. Relevant releases/architectures:
Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
3. Problem description:
This update includes fixes for several security issues:
The ext3 code in kernels before 2.4.26 did not properly initialize
journal descriptor blocks. A privileged local user could read portions
of kernel memory. The Common Vulnerabilities and Exposures project
(cve.mitre.org/) has assigned the name CAN-2004-0177 to this issue.
Conectiva discovered flaws in certain USB drivers affecting kernels
prior to 2.4.27 which used the copy_to_user function on uninitialized
structures. These flaws could allow local users to read small amounts
of kernel memory. (CAN-2004-0685)
Multiple race conditions in the terminal layer could allow local users
to obtain portions of kernel data via a TIOCSETD ioctl call to a
terminal interface that is being accessed by another thread. This could
also allow remote attackers to cause a denial of service (panic) by
switching from console to PPP line discipline, then quickly sending data
that is received during the switch. (CAN-2004-0814)
Stefan Esser discovered various flaws including buffer overflows in
the smbfs driver affecting kernels prior to 2.4.28. A local user may be
able to cause a denial of service (crash) or possibly gain privileges.
In order to exploit these flaws the user would require control of
a connected Samba server. (CAN-2004-0883, CAN-2004-0949)
ISEC security research and Georgi Guninski independantly discovered a
flaw in the scm_send function in the auxiliary message layer. A local
user could create a carefully crafted auxiliary message which could
cause a denial of service (system hang). (CAN-2004-1016)
Multiple overflows were discovered and corrected in the io_edgeport
driver. (CAN-2004-1017)
The Direct Rendering Manager (DRM) driver does not properly check the
DMA lock, which could allow remote attackers or local users to cause a
denial of service (X Server crash) and possibly modify the video output.
(CAN-2004-1056)
A missing serialization flaw in unix_dgram_recvmsg was discovered that
affects kernels prior to 2.4.28. A local user could potentially make
use of a race condition in order to gain privileges. (CAN-2004-1068)
Paul Starzetz of iSEC discovered various flaws in the ELF binary loader
affecting kernels prior to 2.4.28. A local user could use these flaws to
gain read access to executable-only binaries or possibly gain
privileges. (CAN-2004-1070, CAN-2004-1071, CAN-2004-1072, CAN-2004-1073,
CAN-2004-1074)
ISEC security research discovered multiple vulnerabilities in the IGMP
functionality of the kernels. These flaws could allow a local user to
cause a denial of service (crash) or potentially gain privileges. Where
multicast applications are being used on a system, these flaws may also
allow remote users to cause a denial of service. (CAN-2004-1137)
Kirill Korotaev found a flaw in load_elf_binary affecting kernels prior
to 2.4.26. A local user could create a carefully crafted binary in such
a way that it would cause a denial of service (system crash).
(CAN-2004-1234)
iSEC Security Research discovered a VMA handling flaw in the uselib(2)
system call of the Linux kernel. A local user could make use of this
flaw to gain elevated (root) privileges. (CAN-2004-1235)
iSEC Security Research discovered a flaw in the page fault handler code
that could lead to local users gaining elevated (root) privileges on
multiprocessor machines. (CAN-2005-0001)
All users are advised to upgrade their kernels to the packages
associated with their machine architectures and configurations as listed
in this erratum.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied.
To install kernel packages manually, use "rpm -ivh <package>" and modify
system settings to boot the kernel you have installed. To do this, edit
/boot/grub/grub.conf and change the default entry to "default=0" (or, if
you have chosen to use LILO as your boot loader, edit /etc/lilo.conf and
run lilo)
Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:
yum update
or to use apt:
apt-get update; apt-get upgrade
This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.
Note that this may not automatically pull the new kernel in if you have
configured apt/yum to ignore kernels. If so, follow the manual
instructions above.
Florian Westphal discovered that cmd5checkpw is installed setuid
cmd5checkpw but does not drop privileges before calling execvp(), so
the invoked program retains the cmd5checkpw euid.
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
Subject: Updated emacs package for LBA-Linux R2
Advisory ID: LBASA-2005:4
Date: Sunday, February 27, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0100
Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3,
and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote
malicious POP3 servers to execute arbitrary code via crafted packets.
Subject: Updated xemacs package for LBA-Linux R2
Advisory ID: LBASA-2005:5
Date: Sunday, February 27, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0100
Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3,
and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote
malicious POP3 servers to execute arbitrary code via crafted packets.
Subject: Updated postgresql package for LBA-Linux R2
Advisory ID: LBASA-2005:6
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0227
PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to
load arbitrary shared libraries and execute code via the LOAD extension.
CAN-2005-0244
PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE
permission check for functions by using the CREATE AGGREGATE command.
CAN-2005-0245
Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow
attackers to execute arbitrary code via a large number of arguments to
a refcursor function (gram.y), which leads to a heap-based buffer
overflow, a different vulnerability than CAN-2005-0247.
CAN-2005-0246
The intagg contrib module for PostgreSQL 8.0.0 and earlier allows
attackers to cause a denial of service (crash) via crafted arrays.
CAN-2005-0247
Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier
may allow attackers to execute arbitrary code via (1) a large number
of variables in a SQL statement being handled by the read_sql_construct
function, (2) a large number of INTO variables in a SELECT statement
being handled by the make_select_stmt function, (3) a large number of
arbitrary variables in a SELECT statement being handled by the
make_select_stmt function, and (4) a large number of INTO variables in
a FETCH statement being handled by the make_fetch_stmt function, a
different set of vulnerabilities than CAN-2005-0245.
Subject: Updated mailman package for LBA-Linux R2
Advisory ID: LBASA-2005:7
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0202
Directory traversal vulnerability in the true_path function in private.py
for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary
files via ".../....///" sequences, which are not properly cleansed by
regular expressions that are intended to remove "../" and "./" sequences.
Subject: Updated mysql package for LBA-Linux R2
Advisory ID: LBASA-2005:8
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0004
The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10,
5.0.x before 5.0.3, and other versions including 3.x, allows local users
to overwrite arbitrary files or read temporary files via a symlink attack
on temporary files.
Subject: Updated enscript package for LBA-Linux R2
Advisory ID: LBASA-2005:9
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-1184
The EPSF pipe support in enscript 1.6.3 allows remote attackers or local
users to execute arbitrary commands via shell metacharacters.
CAN-2004-1185
Enscript 1.6.3 does not sanitize filenames, which allows remote attackers
or local users to execute arbitrary commands via crafted filenames.
CAN-2004-1186
Multiple buffer overflows in enscript 1.6.3 allow remote attackers or
local users to cause a denial of service (application crash).
Subject: Updated unarj package for LBA-Linux R2
Advisory ID: LBASA-2005:10
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0947
Buffer overflow in unarj before 2.63a-r2 allows remote attackers to
execute arbitrary code via an arj archive that contains long filenames.
CAN-2004-1027
Directory traversal vulnerability in the -x (extract) command line option
in unarj allows remote attackers to overwrite arbitrary files via an arj
archive with filenames that contain .. (dot dot) sequences.
Subject: Updated zip package for LBA-Linux R2
Advisory ID: LBASA-2005:11
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-1010
Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using
recursive folder compression, allows remote attackers to execute arbitrary
code via a ZIP file containing a long pathname.
Subject: Updated iptables package for LBA-Linux R2
Advisory ID: LBASA-2005:12
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2004-0986
iptables before 1.2.11, under certain conditions, does not properly load
the required modules at system startup, which causes the firewall rules
to fail to load and protect the system from remote attackers.
Subject: Updated imap package for LBA-Linux R2
Advisory ID: LBASA-2005:13
Date: Monday, February 28, 2005
Product: LBA-Linux R2
Problem description:
CAN-2005-0198
A logic error in the CRAM-MD5 code for the University of Washington IMAP
(UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5
(CRAM-MD5) is enabled, does not properly enforce all the required conditions
for successful authentication, which allows remote attackers to authenticate
as arbitrary users.
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
The following packages are affected:
gaim
The problem can be corrected by upgrading the affected package to
version 1:1.0.0-1ubuntu1.2. In general, a standard system upgrade is
sufficient to effect the necessary changes.
Details follow:
The Gaim developers discovered that the HTML parser did not
sufficiently validate its input. This allowed a remote attacker to
crash the Gaim client by sending certain malformed HTML messages.
(CAN-2005-0208, CAN-2005-0473)
Another lack of sufficient input validation was found in the "Oscar"
protocol handler which is used for ICQ and AIM. By sending specially
crafted packets, remote users could trigger an infinite loop in Gaim
which caused Gaim to become unresponsive and hang. (CAN-2005-0472)
