Showing all newswire headlines

Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute.

The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation) as distributed in Debian GNU/Linux 2.2 suffers from two problems:

Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited.

When LPRng drops uid and gid, it fails to drop membership in its supplemental groups.

Luki R. reported a bug in man-db: it did handle nested calls of drop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges to early. This could be abused to make man create files as user man.

Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks.

Updated GnuPG packages are now available for Red Hat Linux 6.2, 7, and 7.1. These updates include fixes for the recently-discovered format string vulnerability.

The ispell program uses mktemp() to open temporary files - this makes it vulnerable to symlink attacks.

Xinetd runs with umask 0 - this means that applications using the xinetd umask and not setting the permissions themselves (like swat from the samba package), will create world writable files.

The ispell program uses mktemp() to open temporary files - this makes it vulnerable to symlink attacks.

GnuPG (the SuSE package is named "gpg") is a powerful encryption and signing program with a widespread usership in the free software world. It is designed to be a replacement for PGP and conforms to the OpenPGP standard.

Two vulnerabilities have been found in the man package that is installed by default in all SuSE Linux distributions. The first error is a format string bug in the error handling routine of the man command that can allow a local attacker to gain the privileges of the user "man" on SuSE Linux systems (the man command in /usr/bin is installed setuid man). After getting write access to the /usr/bin/man binary, an attacker can place a cuckook's egg into the executable, waiting for root to view manpages. The second problem is a segmentation fault that can be caused by the options "-S ::: foo" to the man command. On other Linux distributions, this problem has been found exploitable. On SuSE and Debian systems, the code responsible for the bug is different from the one found in other distributions and is not exploitable. We consider the existence of this bug a beauty flaw that will be fixed in future releases of the SuSE Linux distribution, but the fix was not included in the man packages that can be found on our ftp server. Since the error() format string bug was discovered earlier than we announced that the SuSE Linux distributions 6.0, 6.1 and 6.2 will be discontinued, we also provide fixed packages for the said distributions for the i386 Intel architecture. We strongly encourage our usership to upgrade their systems to a newer distribution. Both bugs are fixed in the upcoming release of SuSE Linux 7.2.

A heap overrun exists in the man packages shipped with Red Hat Linux 5.x, 6.x and 7.0. Since man is setgid man, users could gain gid man privileges. Red Hat Linux 7.1 is not affected by this problem.

The version of mktemp shipped with Red Hat Linux prior to version 7 does not support creating temporary directories.

Multiple security vulnerabilities have been found in all Linux kernels of version 2.2 before version 2.2.19. Most of the found errors allow a local attacker to gain root privileges. None of the found errors in the v2.2 linux kernel make it possible for a remote attacker to gain access to the system or to elevate privileges from the outside of the system.

Updated Kerberos 5 packages are now available for Red Hat Linux 6.2, 7, and 7.1. These updates close a potential vulnerability present in the gssapi-aware ftpd included in the krb5-workstation package.

Updated gnupg packages are now available for Red Hat Linux 6.2, 7, and 7.1. These updates address a potential vulnerability which could allow an attacker to compute a user's secret key.

The crontab program is running setuser-id root and invokes the editor specified in the EDITOR environment variable, usually vi. If crontab discovers that the format of the edited file is incorrect, it executes the editor again but fails to drop its root privileges before. Therefore it is possible to execute arbitrary commands as root. It has been fixed by properly dropping the privileges before executing the editor. This bug was found by Sebastian Krahmer.

The crontab program is running setuser-id root and invokes the editor specified in the EDITOR environment variable, usually vi. If crontab discovers that the format of the edited file is incorrect, it executes the editor again but fails to drop its root privileges before. Therefore it is possible to execute arbitrary commands as root. Sebastian Krahmer has found the bug. It has been fixed by properly dropping the privileges before executing the editor.

New samba packages are available; these packages fix /tmp races in smbclient and the printing code. By exploiting these vulnerabilities, local users could overwrite any file in the system. It is recommended that all samba users upgrade to the fixed packages. Please note that the packages for Red Hat Linux 6.2 require an updated logrotate package. Note: these packages include the security patch from Samba-