Home Security

Advisories, September 20, 2005

By

September 21, 2005

Gentoo Linux

Gentoo Linux Security Advisory GLSA 200509-14

http://security.gentoo.org/

Severity: Normal
Title: Zebedee: Denial of Service vulnerability
Date: September 20, 2005
Bugs: #105115
ID: 200509-14

Synopsis

A bug in Zebedee allows a remote attacker to perform a Denial of
Service attack.

Background

Zebedee is an application that establishes an encrypted,
compressed tunnel for TCP/IP or UDP data transfer between two
systems.

Affected packages

     Package           /  Vulnerable  /                     Unaffected



  1  net-misc/zebedee       < 2.5.3                       *>= 2.4.1-r1
                                                              >= 2.5.3

Description

“Shiraishi.M” reported that Zebedee crashes when “0” is received
as the port number in the protocol option header.

Impact

By performing malformed requests a remote attacker could cause
Zebedee to crash.

Workaround

There is no known workaround at this time.

Resolution

All Zebedee users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose net-misc/zebedee

References

[ 1 ] BugTraq ID 14796

http://www.securityfocus.com/bid/14796

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200509-14.xml

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Gentoo Linux Security Advisory GLSA 200509-15

http://security.gentoo.org/

Severity: High
Title: util-linux: umount command validation error
Date: September 20, 2005
Bugs: #105805
ID: 200509-15

Synopsis

A command validation error in umount can lead to an escalation
of privileges.

Background

util-linux is a suite of useful Linux programs including umount,
a program used to unmount filesystems.

Affected packages

     Package              /  Vulnerable  /                  Unaffected

  1  sys-apps/util-linux     < 2.12q-r3                    >= 2.12q-r3

Description

When a regular user mounts a filesystem, they are subject to
restrictions in the /etc/fstab configuration file. David Watson
discovered that when unmounting a filesystem with the ‘-r’ option,
the read-only bit is set, while other bits, such as nosuid or
nodev, are not set, even if they were previously.

Impact

An unprivileged user facing nosuid or nodev restrictions can
umount -r a filesystem clearing those bits, allowing applications
to be executed suid, or have device nodes interpreted. In the case
where the user can freely modify the contents of the filesystem,
privilege escalation may occur as a custom program may execute with
suid permissions.

Workaround

Two workarounds exist, first, the suid bit can be removed from
the umount utility, or users can be restricted from mounting and
unmounting filesystems in /etc/fstab.

Resolution

All util-linux users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=sys-apps/util-linux-2.12q-r3"

References

[ 1 ] CAN-2005-2876

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2005-2876

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200509-15.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandriva Linux

Mandriva Linux Security Update Advisory

Package name: cups
Advisory ID: MDKSA-2005:165
Date: September 15th, 2005
Affected versions: 10.0, Corporate 3.0, Corporate Server 2.1

Problem Description:

A vulnerability in CUPS would treat a Location directive in
cupsd.conf as case-sensitive, allowing attackers to bypass intended
ACLs via a printer name containing uppercase or lowecase letters
that are different from that which was specified in the Location
directive. This issue only affects versions of CUPS prior to
1.1.21rc1.

The updated packages have been patched to correct this
problem.

References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2154

Updated Packages:

Mandrakelinux 10.0:
57949999ec0803d9b3950ae663371c2e
10.0/RPMS/cups-1.1.20-5.9.100mdk.i586.rpm
ce7f1071f6c62590a1b6871ab9b17816
10.0/RPMS/cups-common-1.1.20-5.9.100mdk.i586.rpm
f8271f099e17e7fc2a8b8d3707fe4611
10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.i586.rpm
8d0e92e091f01dbfa43c80abc1e5521b
10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm
4b7e237ef3ba38546873231937eeaf14
10.0/RPMS/libcups2-devel-1.1.20-5.9.100mdk.i586.rpm
02f0085442de9f53ed52c53372921c54
10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
c741e915ab4478906c4c0c9975a28199
amd64/10.0/RPMS/cups-1.1.20-5.9.100mdk.amd64.rpm
844f1025e5689bfa1270b46b18092604
amd64/10.0/RPMS/cups-common-1.1.20-5.9.100mdk.amd64.rpm
519d6d527ff35b8589c22a77d01bb89c
amd64/10.0/RPMS/cups-serial-1.1.20-5.9.100mdk.amd64.rpm
1409f88c2e6c6b64d2bc98054ba88c56
amd64/10.0/RPMS/lib64cups2-1.1.20-5.9.100mdk.amd64.rpm
49478b1e66b17ed734036f0699a73ace
amd64/10.0/RPMS/lib64cups2-devel-1.1.20-5.9.100mdk.amd64.rpm
8d0e92e091f01dbfa43c80abc1e5521b
amd64/10.0/RPMS/libcups2-1.1.20-5.9.100mdk.i586.rpm
02f0085442de9f53ed52c53372921c54
amd64/10.0/SRPMS/cups-1.1.20-5.9.100mdk.src.rpm

Corporate Server 2.1:
b382582f3c83bab30c115774033543c6
corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.i586.rpm
29c884dd71f8422db48e7d3831eeccb8
corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.i586.rpm
22b2e3c9e34671ba4c84ec368c0219cb
corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.i586.rpm
cdc9ca097da2cccf3c67cfe1a7e7d4ec
corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.i586.rpm
7e628218d90f639d24476cb635a64922
corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.i586.rpm
7be4ece8ab5cba50791771a9065c78ed
corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm

Corporate Server 2.1/X86_64:
8ebafcbc57a13198165a79082be2a78d
x86_64/corporate/2.1/RPMS/cups-1.1.18-2.11.C21mdk.x86_64.rpm
56d85e620b01894f34660eba96d9ee40
x86_64/corporate/2.1/RPMS/cups-common-1.1.18-2.11.C21mdk.x86_64.rpm

8a7fa44f47379d778a1657e5497c34b6
x86_64/corporate/2.1/RPMS/cups-serial-1.1.18-2.11.C21mdk.x86_64.rpm

8e9b8d6c247e091bd8dc38e1733f9c2f
x86_64/corporate/2.1/RPMS/libcups1-1.1.18-2.11.C21mdk.x86_64.rpm

45cfd7747e040cee340fec0edf37be0d
x86_64/corporate/2.1/RPMS/libcups1-devel-1.1.18-2.11.C21mdk.x86_64.rpm

7be4ece8ab5cba50791771a9065c78ed
x86_64/corporate/2.1/SRPMS/cups-1.1.18-2.11.C21mdk.src.rpm

Corporate 3.0:
c0c6fa6731a99d3941ff0a2538b83d2c
corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.i586.rpm
ad7e66e80f1336beeaef65678dcd06c1
corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.i586.rpm
715af6b604429210810cb1fcb2d88b11
corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.i586.rpm
36d71921d656bb291dfd129d63a2519a
corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm
a06251d040e615159758b548ee5da785
corporate/3.0/RPMS/libcups2-devel-1.1.20-5.9.C30mdk.i586.rpm
7c02299537a6646f6664fc8253895d03
corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm

Corporate 3.0/X86_64:
7fd22a6928fcdce24fda3e8de71cf39a
x86_64/corporate/3.0/RPMS/cups-1.1.20-5.9.C30mdk.x86_64.rpm
bb37ebd7097e663304baac02e394292a
x86_64/corporate/3.0/RPMS/cups-common-1.1.20-5.9.C30mdk.x86_64.rpm

7c79a96dcbae50e6e0b27eb43fa249eb
x86_64/corporate/3.0/RPMS/cups-serial-1.1.20-5.9.C30mdk.x86_64.rpm

d013b48caa5339b855ec33d19bdb21db
x86_64/corporate/3.0/RPMS/lib64cups2-1.1.20-5.9.C30mdk.x86_64.rpm

10a98e8e62085460bec857e516b7c577
x86_64/corporate/3.0/RPMS/lib64cups2-devel-1.1.20-5.9.C30mdk.x86_64.rpm

36d71921d656bb291dfd129d63a2519a
x86_64/corporate/3.0/RPMS/libcups2-1.1.20-5.9.C30mdk.i586.rpm
7c02299537a6646f6664fc8253895d03
x86_64/corporate/3.0/SRPMS/cups-1.1.20-5.9.C30mdk.src.rpm

To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandriva for security. You can obtain
the GPG public key of the Mandriva Security Team by executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandriva Linux at:

http://www.mandriva.com/security/advisories

If you want to report vulnerabilities, please contact

security_(at)_mandriva.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>

Ubuntu Linux

Ubuntu Security Notice USN-185-1 September 20, 2005
cupsys vulnerability
CAN-2004-2154

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)

The following packages are affected:

cupsys

The problem can be corrected by upgrading the affected package
to version 1.1.20final+cvs20040330-4ubuntu16.5. In general, a
standard system upgrade is sufficient to effect the necessary
changes.

Details follow:

A flaw was detected in the printer access control list checking
in the CUPS server. Printer names were compared in a case sensitive
manner; by modifying the capitalization of printer names, a remote
attacker could circumvent ACLs and print to printers he should not
have access to.

The Ubuntu 5.04 version of cupsys is not vulnerable against
this.

Source archives:

http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5.diff.gz

Size/MD5: 1353545
138b931a4e026cacf0870ca3eba49506
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5.dsc

Size/MD5: 867
0475f922a395811f2d1b4a39fd02c240
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330.orig.tar.gz

Size/MD5: 5645146
5eb5983a71b26e4af841c26703fc2f79

amd64 architecture (Athlon64, Opteron, EM64T Xeon)

http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-bsd_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb

Size/MD5: 59052
6d80f59e40a3cdccf88a64e6eb8e8818
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys-client_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb

Size/MD5: 107326
6ad4b6a8b600d874b5de169588db23f7
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/cupsys_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb

Size/MD5: 3614844
22bb4ae245e3983b54ffac479f9d11bd
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2-dev_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb

Size/MD5: 62684
4a99fce77c094c644bb65701f544769b
http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/libcupsimage2_1.1.20final+cvs20040330-4ubuntu16.5_amd64.deb