Showing headlines posted by dave

glint blindly follows a symlink in /tmp, overwriting the target file, so it can conceivably be used to destroy any file on the system.

The syslogd package consists of two daemons that are being launched upon system startup: klogd and syslogd. The former collects kernel messages and passes them on to the syslog(3) facility. syslogd will pick up the logging messages and write them to the logfiles as specified by the syslogd configuration file /etc/syslog.conf. Errors in both the klogd and the syslogd can cause both daemons do die when specially designed strings get passed to the kernel by the user, eg. with a malformed structure in a system call. These errors have been discovered by Jouko Pynnönen, Solar Designer, a fix for one of the bugs has been provided by Daniel Jacobowitz.

Multiple vulnerabilities have been reported in syslogd and klogd. A local root exploit is possible, and remote exploits may be possible in some cases (though we are not currently aware of a remote exploit.)

A string format / buffer overflow bug has been discovered in klogd, the kernel logging daemon. Please upgrade to the new sysklogd 1.4 package available on the Slackware FTP site.

Various vulnerabilities exist in syslogd/klogd. By exploiting these vulnerabilities, it could be possible for local users to gain root access. No remote exploit exists at this time, but it remains theoretically possible that this vulnerability could be exploited remotely under certain rare circumstances. All users should upgrade to the new sysklogd packages. Users of Red Hat Linux 6.0 and 6.1 should use the packages for Red Hat Linux 6.

We would appreciate hearing whether we have allowed enough time for the slink->potato transition. Please direct your comments to feedback@security.debian.org

Security hole in screen in Red Hat Linux 5.2 and earlier releases

An input validation bug was found to affect Slackware Linux 7.0, 7.1, and -current.

Security problem in temporary file and malicious URL.

pam_smb is a package for a PAM (Pluggable Authentication Modules) module that allows Linux/Unix user authentication using a Windows NT server. Versions 1.1.5 and before contain a buffer overflow that would allow a remote attacker to gain root access on the target host, provided that the target host has the module installed and configured. The bug was found by Shaun Clowes <shaun@securereality.com.au>, and a new, fixed version of the package was promptly published by Dave Airlie <airlied@samba.org>, the author of the pam_smb package.

libpam-smb contains a buffer overflow that can be used to execute arbitrary commands with root privilege. libpam-smb was not shipped with Debian 2.1 (slink), but was included in Debian 2.2 (potato).

The mgetty-sendfax package contains a vulnerability which allows any user with access to the /var/tmp directory to destroy any file on any mounted filesystem.

xpdf as distributed in Debian GNU/Linux 2.2 suffered from two problems: 1. creation of temporary files was not done safely which made xpdf vulnerable to a symlink attack. 2. when handling URLs in documents no checking was done for shell metacharacters before starting the browser. This makes it possible to construct a document which cause xpdf to run arbitrary commands when the user views an URL.

imp as distributed in Debian GNU/Linux 2.2 suffered from insufficient checking of user supplied data: the IMP webmail interface did not check the $from variable which contains the sender address for shell metacharacters. This could be used to run arbitrary commands on the server running imp.

Several bugs were discovered in glibc which could allow local users to gain root privileges.

The default package selection in SuSE distributions includes apache. The configuration file that comes with the package contains two security relevant errors:

screen, a tty multiplexer, is installed suid root by default on SuSE Linux distributions. By supplying a thoughtfully designed string as the visual bell message, local users can obtain root privilege. Exploit information has been published on security forums.

The glibc implementations in all SuSE distributions starting with SuSE-6.0 have multiple security problems where at least one of them allows any local user to gain root access to the system.

Three locale-related vulnerabilities with glibc 2.1.3 were recently reported on BugTraq. These vulnerabilities could allow local users to gain root access.

Recently two problems have been found in the glibc suite, which could be used to trick setuid applications to run arbitrary code.