Showing headlines posted by dave

Last week a Zope (security advisory was released which indicated Erik Enge found a problem in the way Zope calculates roles. In some situations Zope checked the wrong folder hierarchy which could cause it to grant local roles when it should not. In other words: users with privileges in one folder could gain privileges in another folder.

A new Zope-Hotfix package is availble which fixes issues with computation of local roles.

Michel Kaempf reported a security problem in slocate (a secure version of locate, a tool to quickly locate files on a filesystem) on bugtraq which was originally discovered by zorgon. He discovered there was a bug in the database reading code which made it overwrite a internal structure with some input. He then showed this could be exploited to trick slocate into executing arbitrary code by pointing it to a carefully crafted database.

The problem that was previously reported for joe also occurs with other editors. When nano (a free pico clone) unexpectedly dies it tries a warning message to a new file with a predictable name (the name of the file being edited with ".save" appended). Unfortunately that file was not created safely which made nano vulnerable to a symlink attack.

New BitchX packages are available which fix the problem with processing malformed DNS answers.

Vulnerability in legacy names allows calling those contructors without the correct permissions.

The ed editor used files in /tmp in an insecure fashion. It was possible for local users to exploit this vulnerability to modify files that they normally could not and gain elevated privilege.

A race vulnerability exists in the diskcheck package.

A race vulnerability exists in the diskcheck package.

The security fix for joe released on November 22, 2000 had a problem: it created the DEADJOE file securily but didn't write anything to it. This has been fixed in version 2.8.15.2 .

Michal Zalewski <lcamtuf@DIONE.IDS.PL> has found a buffer overflow in the html parser code of the Netscape Navigator in all versions before and including 4.75. html code of the form

Colin Phipps found an interesting symlink attack problem in fsh (a tool to quickly run remote commands over rsh/ssh/lsh). When fshd starts it creates a directory in /tmp to hold its sockets. It tries to do that securely by checking of it can chown that directory if it already exists to check if it is owner by the user invoking it. However an attacker can circumvent this check by inserting a symlink to a file that is owner by the user who runs fhsd and replacing that with a directory just before fshd creates the socket.

Updated Ethereal packages are available.

Alan Cox discovered that GNU ed (a classed line editor tool) created temporary files unsafely. This has been fixed in version 0.2-18.1.

A remote DoS (denial of service) attack is possible with bind versions prior to 8.

Updated nss_ldap packages are now available for Red Hat Linux 6.1, 6.2, and 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha.

Updated cyrus-sasl packages are now available for Red Hat Linux 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Updated usermode packages are now available for Red Hat Linux 6.x and 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

Updated apache, php, mod_perl, and auth_ldap packages are now available for Red Hat Linux 5.2, 6.0, 6.1, 6.2, and 7. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha

(This is a re-release of the previous errata caused by a missing patch). A locally-exploitable security hole was found where a normal user could trick root running GnoRPM into writing to arbitrary files due to a bug in the gnorpm tmp file handling. 2000-11-27: Added packages for Red Hat Linux 7 for Alpha