---

Security Digest: January 27, 2005

Conectiva Linux


CONECTIVA LINUX SECURITY ANNOUNCEMENT


PACKAGE : squid
SUMMARY : Fixes for squid vulnerabilities
DATE : 2005-01-26 13:41:00
ID : CLA-2005:923
RELEVANT RELEASES : 9, 10


DESCRIPTION
Squid[1] is a full-featured web proxy cache.

This announcement adds the following patches to Squid:

1.Empty ACLs[2]
The meaning of the access controls becomes somewhat confusing if
any of the referenced acls is declared empty, without any
members.

2.Fakeauth_auth[3]
The NTLM fakeauth_auth helper has a memory leak that may cause it
to run out of memory under high load, or if it runs for a very long
time. Additionally, a malformed NTLM type 3 message could cause a
segmentation violation.

3.LDAP spaces[4]
LDAP is very forgiving about spaces in search filters and this
could be abused to log in using several variants of the login name,
possibly bypassing explicit access controls or confusing
accounting

4.Non blocking disk[5]
O_NONBLOCK on disk files is not is not standardized, and results
may be unexpected. Linux now starts to add O_NONBLOCK support on
disk files but the implementation is not complete yet and this
bites Squid.

5.Gopher html parsing[6]
A malicious gopher server may return a response with very long
lines that cause a buffer overflow in Squid.

6.WCCP denial of service[7]
WCCP_I_SEE_YOU messages contain a ‘number of caches’ field which
should be between 1 and 32. Values outside that range may crash
Squid if WCCP is enabled, and if an attacker can spoof UDP packets
with the WCCP router’s IP address.

7.SNMP core dump[8]
If certain malformed SNMP request is received Squid restarts with a
Segmentation Fault error.

Additionally, this announcement increases the Squid’s initscript
timeout for waiting it to stop from 10 seconds to 35 seconds,
avoiding problems with stuck connections.

SOLUTION
It is recommended that all squid users upgrade to the latest
packages. This update will automatically restart the service if it
is already running.

REFERENCES
1.http://squid.nlanr.net/
2.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls

3.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth

4.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces

5.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-non_blocking_disk

6.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-gopher_html_parsing

7.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_denial_of_service

8.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-SNMP_core_dump

UPDATED PACKAGES

ftp://atualizacoes.conectiva.com.br/10/SRPMS/squid-2.5.5-63116U10_6cl.src.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-2.5.5-63116U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-auth-2.5.5-63116U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/10/RPMS/squid-extra-templates-2.5.5-63116U10_6cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/SRPMS/squid-2.5.5-25761U90_9cl.src.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-2.5.5-25761U90_9cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-auth-2.5.5-25761U90_9cl.i386.rpm


ftp://atualizacoes.conectiva.com.br/9/RPMS/squid-extra-templates-2.5.5-25761U90_9cl.i386.rpm

ADDITIONAL INSTRUCTIONS
The apt tool can be used to perform RPM packages upgrades:

  • run: apt-get update
  • after that, execute: apt-get upgrade

Detailed instructions regarding the use of apt and upgrade
examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


All packages are signed with Conectiva’s GPG key. The key and
instructions on how to import it can be found at
http://distro.conectiva.com.br/seguranca/chave/?idioma=en
Instructions on how to check the signatures of the RPM packages can
be found at http://distro.conectiva.com.br/seguranca/politica/?idioma=en


All our advisories and generic update instructions can be viewed at
http://distro.conectiva.com.br/atualizacoes/?idioma=en


Copyright (c) 2004 Conectiva Inc.
http://www.conectiva.com

Debian GNU/Linux


Debian Security Advisory DSA 661-1 security@debian.org
http://www.debian.org/security/
Martin Schulze
January 27th, 2005 http://www.debian.org/security/faq


Package : f2c
Vulnerability : insecure temporary files
Problem-Type : local
Debian-specific: no
CVE ID : CAN-2005-0017 CAN-2005-0018

Javier Fernández-Sanguino Peña from
the Debian Security Audit project discovered that f2c and fc, which
are both part of the f2c package, a fortran 77 to C/C++ translator,
open temporary files insecurely and are hence vulnerable to a
symlink attack. The Common Vulnerabilities and Exposures project
identifies the following vulnerabilities:

CAN-2005-0017

Multiple insecure temporary files in the f2c translator.

CAN-2005-0018

Two insecure temporary files in the f2 shell script.

For the stable distribution (woody) these problems have been
fixed in version 20010821-3.1

For the unstable distribution (sid) these problems will be fixed
soon.

We recommend that you upgrade your f2c package.

Upgrade Instructions


wget url

will fetch the file for you
dpkg -i file.deb

will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update

will update the internal database apt-get upgrade

will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody


Source archives:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1.dsc

Size/MD5 checksum: 519 c245d8c55d5bc7686fb424ba83ad33dc

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1.diff.gz

Size/MD5 checksum: 28688 ae7f2dc8def540a029f796c6de397af1

http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821.orig.tar.gz

Size/MD5 checksum: 416017 f2527aed84c8db35c883615c3b9b8511

Alpha architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_alpha.deb

Size/MD5 checksum: 525056 a28714e82120e4a9a9ef97ff20fe719b

ARM architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_arm.deb

Size/MD5 checksum: 470448 4a35312c2a14b9c5c23a2af416896502

Intel IA-32 architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_i386.deb

Size/MD5 checksum: 423100 5e12281a52c42445bc984cb1045c739c

Intel IA-64 architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_ia64.deb

Size/MD5 checksum: 678778 e5b288c10fa245d283b51fdd00fbda6b

HP Precision architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_hppa.deb

Size/MD5 checksum: 493400 82cdc10d36587ce4fa14ab92878fa109

Motorola 680×0 architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_m68k.deb

Size/MD5 checksum: 407568 5fb83a199fb3469e01f2ac23172758b1

Big endian MIPS architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_mips.deb

Size/MD5 checksum: 483078 ff74d93993830d87c01b06b2667fbb72

Little endian MIPS architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_mipsel.deb

Size/MD5 checksum: 481644 7fa990a07b294c196dc3404efc2ce2d9

PowerPC architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_powerpc.deb

Size/MD5 checksum: 455606 2232d1ef2bebd4268598903994ab3e43

IBM S/390 architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_s390.deb

Size/MD5 checksum: 446322 50797aed670f8b85975335f9fd8cc6c2

Sun Sparc architecture:


http://security.debian.org/pool/updates/main/f/f2c/f2c_20010821-3.1_sparc.deb

Size/MD5 checksum: 467154 284b8fa77e1706d235b77175c1fb1596

These files will probably be moved into the stable distribution
on its next update.


For apt-get: deb http://security.debian.org/
stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security
dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org

Package info: `apt-cache show <pkg>’ and http://packages.debian.org/<pkg>

Gentoo Linux


Gentoo Linux Security Advisory GLSA 200501-37


http://security.gentoo.org/


Severity: Normal
Title: GraphicsMagick: PSD decoding heap overflow
Date: January 26, 2005
Bugs: #79336
ID: 200501-37


Synopsis

GraphicsMagick is vulnerable to a heap overflow when decoding
Photoshop Document (PSD) files, which could lead to arbitrary code
execution.

Background

GraphicsMagick is a collection of tools to read, write and
manipulate images in many formats. GraphicsMagick is originally
derived from ImageMagick 5.5.2.

Affected packages


     Package                   /  Vulnerable  /             Unaffected

  1  media-gfx/graphicsmagick       < 1.1.5                   >= 1.1.5

Description

Andrei Nigmatulin discovered that handling a Photoshop Document
(PSD) file with more than 24 layers in ImageMagick could trigger a
heap overflow (GLSA 200501-26). GraphicsMagick is based on the same
code and therefore suffers from the same flaw.

Impact

An attacker could potentially design a malicious PSD image file
to cause arbitrary code execution with the permissions of the user
running GraphicsMagick.

Workaround

There is no known workaround at this time.

Resolution

All GraphicsMagick users should upgrade to the latest
version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=media-gfx/graphicsmagick-1.1.5"

References

[ 1 ] CAN-2005-0005

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0005

[ 2 ] GLSA 200501-26

http://www.gentoo.org/security/en/glsa/glsa-200501-26.xml

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-37.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


Gentoo Linux Security Advisory GLSA 200501-38


http://security.gentoo.org/


Severity: Normal
Title: Perl: rmtree and DBI tmpfile vulnerabilities
Date: January 26, 2005
Bugs: #78634, #75696
ID: 200501-38


Synopsis

The Perl DBI library and File::Path::rmtree function are
vulnerable to symlink attacks.

Background

Perl is a cross platform programming language. The DBI is the
standard database interface module for Perl.

Affected packages


     Package        /   Vulnerable   /                      Unaffected

  1  dev-perl/dbi         <= 1.38                          *>= 1.37-r1
                                                            >= 1.38-r1
  2  dev-lang/perl      <= 5.8.6-r1                        >= 5.8.6-r2
                                                          *>= 5.8.5-r3
                                                          *>= 5.8.4-r2
                                                          *>= 5.8.2-r2
    -------------------------------------------------------------------
     2 affected packages on all of their supported architectures.

Description

Javier Fernandez-Sanguino Pena discovered that the DBI library
creates temporary files in an insecure, predictable way
(CAN-2005-0077). Paul Szabo found out that “File::Path::rmtree”
also handles temporary files insecurely (CAN-2004-0452).

Impact

A local attacker could create symbolic links in the temporary
files directory that point to a valid file somewhere on the
filesystem. When the DBI library or File::Path::rmtree is executed,
this could be used to overwrite files with the rights of the user
calling these functions.

Workaround

There are no known workarounds at this time.

Resolution

All Perl users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose dev-lang/perl

All DBI library users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose dev-perl/dbi

References

[ 1 ] CAN-2005-0077

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0077

[ 2 ] CAN-2004-0452

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0452

Availability

This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:

http://security.gentoo.org/glsa/glsa-200501-38.xml

Concerns?

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.

License

Copyright 2005 Gentoo Foundation, Inc; referenced text belongs
to its owner(s).

The contents of this document are licensed under the Creative
Commons – Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0

Mandrakelinux


Mandrakelinux Security Update Advisory


Package name: evolution
Advisory ID: MDKSA-2005:024
Date: January 27th, 2005
Affected versions: 10.0, 10.1, Corporate Server 3.0


Problem Description:

Max Vozeler discovered an integer overflow in the
camel-lock-helper application. This application is installed setgid
mail by default. A local attacker could exploit this to execute
malicious code with the privileges of the “mail” group; likewise a
remote attacker could setup a malicious POP server to execute
arbitrary code when an Evolution user connects to it.

The updated packages have been patched to prevent this
problem.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0102


Updated Packages:

Mandrakelinux 10.0:
3397788a5d8a84d8fd1294225bdfa546
10.0/RPMS/evolution-1.4.6-5.1.100mdk.i586.rpm
0e2280ac393ca059ae4d19b3db8289ee
10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.i586.rpm
6d1f2aa61768f1cebeeb5454abbc4a67
10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.i586.rpm
cc0058793a3353fd9d420da898e42213
10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

Mandrakelinux 10.0/AMD64:
2cbb561ccbd6a2a30c4830e4bdae4c17
amd64/10.0/RPMS/evolution-1.4.6-5.1.100mdk.amd64.rpm
35673a1c5f7c595930def4776bfeba12
amd64/10.0/RPMS/evolution-devel-1.4.6-5.1.100mdk.amd64.rpm
091ef5247fce276a0c8fffd3efd2d967
amd64/10.0/RPMS/evolution-pilot-1.4.6-5.1.100mdk.amd64.rpm
cc0058793a3353fd9d420da898e42213
amd64/10.0/SRPMS/evolution-1.4.6-5.1.100mdk.src.rpm

Mandrakelinux 10.1:
0b3320cd8f1209071dbb38de3f5f4c62
10.1/RPMS/evolution-2.0.3-1.2.101mdk.i586.rpm
d7cf293651f49ef222da230f4ad3cb2d
10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.i586.rpm
89f0d1b662517cb0756eec458cd6c234
10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.i586.rpm
ee51751a3cabf18e53bd1e3092da3223
10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
984eae27bc6fbebcf32002ba61b17670
x86_64/10.1/RPMS/evolution-2.0.3-1.2.101mdk.x86_64.rpm
8bc7680f0095b4153a882716f8485daf
x86_64/10.1/RPMS/evolution-devel-2.0.3-1.2.101mdk.x86_64.rpm
3db68c56395c13a3fe458645bb1c9975
x86_64/10.1/RPMS/evolution-pilot-2.0.3-1.2.101mdk.x86_64.rpm
ee51751a3cabf18e53bd1e3092da3223
x86_64/10.1/SRPMS/evolution-2.0.3-1.2.101mdk.src.rpm

Corporate Server 3.0:
6a8867e05261d45f89ff09e9cb05ff31
corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.i586.rpm
a9a7a5c41a121178a2fffbff6a8764a3
corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.i586.rpm
4d6f9b339eb9cc545e9b562d8223fca8
corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.i586.rpm
854f366f4a1c868e905888a46d06603a
corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm

Corporate Server 3.0/x86_64:
194f59a32369684d6642067924937dcd
x86_64/corporate/3.0/RPMS/evolution-1.4.6-5.1.C30mdk.x86_64.rpm
79de9373078067bc09779afb01b2a2f1
x86_64/corporate/3.0/RPMS/evolution-devel-1.4.6-5.1.C30mdk.x86_64.rpm

a050fc93565161d237e141feb014c9f1
x86_64/corporate/3.0/RPMS/evolution-pilot-1.4.6-5.1.C30mdk.x86_64.rpm

854f366f4a1c868e905888a46d06603a
x86_64/corporate/3.0/SRPMS/evolution-1.4.6-5.1.C30mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
<security linux-mandrake.com>


Mandrakelinux Security Update Advisory


Package name: bind
Advisory ID: MDKSA-2005:023
Date: January 26th, 2005
Affected versions: 10.1


Problem Description:

A vulnerability was discovered in BIND version 9.3.0 where a
remote attacker may be able to cause named to exit prematurely,
causing a Denial of Service due to an incorrect assumption in the
validator function authvalidated().

The updated packages have been patched to prevent this
problem.


References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0034
http://www.kb.cert.org/vuls/id/938617


Updated Packages:

Mandrakelinux 10.1:
2c3b0b567b122b32672834813099ace9
10.1/RPMS/bind-9.3.0-3.1.101mdk.i586.rpm
f9e226057c52236b13631ffe032f6bc2
10.1/RPMS/bind-devel-9.3.0-3.1.101mdk.i586.rpm
e6a4b508f747a26af2e98d879cb1127e
10.1/RPMS/bind-utils-9.3.0-3.1.101mdk.i586.rpm
bcfc92436972a46b3788ec38edfd45d9
10.1/SRPMS/bind-9.3.0-3.1.101mdk.src.rpm

Mandrakelinux 10.1/X86_64:
1e497338a4c775afd571157c94b7a954
x86_64/10.1/RPMS/bind-9.3.0-3.1.101mdk.x86_64.rpm
9e61bddc45238b768bc2f93948a9024b
x86_64/10.1/RPMS/bind-devel-9.3.0-3.1.101mdk.x86_64.rpm
17cf2955482bc6c3523b0123ca2010d9
x86_64/10.1/RPMS/bind-utils-9.3.0-3.1.101mdk.x86_64.rpm
bcfc92436972a46b3788ec38edfd45d9
x86_64/10.1/SRPMS/bind-9.3.0-3.1.101mdk.src.rpm


To upgrade automatically use MandrakeUpdate or urpmi. The
verification of md5 checksums and GPG signatures is performed
automatically for you.

All packages are signed by Mandrakesoft for security. You can
obtain the GPG public key of the Mandrakelinux Security Team by
executing:

gpg –recv-keys –keyserver pgp.mit.edu 0x22458A98

You can view other update advisories for Mandrakelinux at:

http://www.mandrakesoft.com/security/advisories

If you want to report vulnerabilities, please contact

security_linux-mandrake.com

Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Linux
Mandrake Security Team <security linux-mandrake.com>

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends, & analysis