Klaus Frank has found a vulnerability in the way gnuserv handled remote connections. Gnuserv is a remote control facility for Emacsen which is available as standalone program as well as included in XEmacs21. Gnuserv has a buffer for which insufficient boundary checks were made. Unfortunately this buffer affected access control to gnuserv which is using a MIT-MAGIC-COOCKIE based system. It is possible to overflow the buffer containing the cookie and foozle cookie comparison.
Christer Öberg of Wkit Security AB found a problem in joe (Joe's Own Editor). joe will look for a configuration file in three locations: the current directory, the users homedirectory ($HOME) and in /etc/joe. Since the configuration file can define commands joe will run (for example to check spelling) reading it from the current directory can be dangerous: an attacker can leave a .joerc file in a writable directory, which would be read when a unsuspecting user starts joe in that directory.
Bill Nottingham reported a problem in the wrapping/unwrapping functions of the slrn newsreader. A long header in a message might overflow a buffer and which could result into executing arbitraty code encoded in the message.
This is an update to the DSA-032-1 advisory. The powerpc package that was listed in that advisory was unfortunately compiled on the wrong system which caused it to not work on a Debian GNU/Linux 2.2 system.
The version of GNU libc that was distributed with Debian GNU/Linux 2.2 suffered from 2 security problems:
Former versions of sgml-tools created temporary files directly in /tmp in an insecure fashion. Version 1.0.9-15 and higher create a subdirectory first and open temporary files within that directory.
It has been reported that the AsciiSrc and MultiSrc widget in the Athena widget library handle temporary files insecurely. Joey Hess has ported the bugfix from XFree86 to these Xaw replacements libraries.
It has been reported that a local user could tweak Midnight Commander of another user into executing a random program under the user id of the person running Midnight Commander. This behaviour has been fixed by Andrew V. Samoilov.
It has been reported that one can tweak man2html remotely into consuming all available memory. This has been fixed by Nicolás Lichtmaier with help of Stephan Kulow.
Fumitoshi Ukai and Denis Barbier have found several potential buffer overflow bugs in our version of ePerl as distributed in all of our distributions.
The author of analog, Stephen Turner, has found a buffer overflow bug in all versions of analog except of version 4.16. A malicious user could use an ALIAS command to construct very long strings which were not checked for length and boundaries. This bug is particularly dangerous if the form interface (which allows unknown users to run the program via a CGI script) has been installed. There doesn't seem to be a known exploit.
The following problems have been reported for the version of proftpd in Debian 2.2 (potato):
Todd Miller announced a new version of sudo which corrects a buffer overflow that could potentially be used to gain root privilages on the local system. This bugfix has been backported to the version which was used in Debian GNU/Linux 2.2.
In Debian Security Advisory DSA 029-1 we have reported several vulnerabilities in proftpd that have been fixed. For details please read the main advisory. This upload fixes:
In Debian Security Advisory DSA 011-1 we have reported insecure creation of temporary files in the mgetty package that have been fixed. For details please read the main advisory.
CUPS is an implementation of the Internet Printing Protocol (IPP) and is used as an alternative to the lpr and LPRng packages. The CUPS package aims to be a comprehensive printing solution for UN*X-systems. In SuSE-7.1 distribution, the cups package is not used by any configuration utilities unless the admin has decided to configure the package manually. The cups package has been introduced in the SuSE-7.1 distribution; enhanced support for future releases of the SuSE Linux distribution is planned. A SuSE-internal security audit conducted by Sebastian Krahmer and Thomas Biege revealed several overflows as well as insecure file handling. These bugs have been fixed by adding length-checks and securing the file-access. For a temporary workaround, remove the suid-bit from the 'lppasswd' program. Make sure nobody from outside your network can access the CUPS-server running on port 631. Allowing access to this port from outside is a bad idea regardless whether or not the used version is vulnerable.
Updated joe packages are available for Red Hat Linux 5.2, 6.x and 7.
Todd Miller announced a new version of sudo which corrects a buffer overflow that could potentially be used to gain root privilages on the local system. The fix from sudo 1.6.3p6 is available in sudo 1.6.2p2-1potato1 for Debian 2.2 (potato).
New Zope packages are available which fix numerous security vulnerabilities.
Sudo 1.6.3p6 is now available for Slackware 7.1 and Slackware -current. This release fixes a known buffer overflow, which could be used by malicious users to compromise parts of the system. If you rely on Sudo and use one of the above versions of Slackware, it is recommended that you upgrade to the new sudo.tgz package for the version you're running.