Showing all newswire headlines

Cade Cairns of Securityfocus discovered a vulnerability in the sendmail program, the widely spread MTA used in Unix- and Unix-like systems. A local user can write arbitrary data to the process memory, resulting in user-controlled code to be executed as user root. Please note that this is a _local_ vulnerability: Local shell access is needed for the attacker to be able to take advantage of this error. The /usr/sbin/sendmail program is installed set-uid root in most installations. This special privilege is needed for the sendmail program to operate properly. The attack pattern involves running sendmail to make use of the setuid-bit. Please note that this is the first sendmail security problem since 1997.

Sdbsearch.cgi is Perl script which is part of the sdb package of SuSE Linux was found vulnerable by using untrustworthy client input (HTTP_REFERER). By exploiting this trust an attacker could force the sdbsearch.cgi script to open a malicious keylist file which includes keywords and filenames. By replacing the filename in the keylist file with the Perl pipe followed by arbitrary shell commands the sdbsearch.cgi would execute these commands when trying to open these 'filenames'. Note, that the attacker needs local access to the machine to store the keylist file on the server running sdbsearch.cgi. Misconfigured ftp accounts, trojan tar balls or RPM files could also be used.

Fetchmail is a tool for retrieving and forwarding mail. Two vulnerabilities in the code of fetchmail were found in the last weeks. 1.) By sending a header with a large "To:" line a buffer overflow will be triggered in the header parsing code. 2.) By impersonating a pop3 or imap server by using DNS spoofing or getting control over the pop3/imap server an attacker could trigger a buffer overflow in the pop3 and imap code of fetchmail. All the attacker has to do is to fake a LIST response message and providing two integers. One will used as index for a stack array and the other one is the value written to this index. Both vulnerabilities could be used to get remote access to the system with the privilege of the user running fetchmail.

This is a followup to the problem described in DSA 075-1. Please read the original advisory to find out more about the security problem. This advisory and upload only fixes a problem with binary packages for sparc that were mistakenly linked to the wrong library.

The telnet daemon contained in the netkit-telnet-ssl_0.16.3-1 package in the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an exploitable overflow in its output handling. The original bug was found by <scut@nb.in-berlin.de>, and announced to bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were not believed to be vulnerable. On Aug 10 2001, zen-parse posted an advisory based on the same problem, for all netkit-telnet versions below 0.17. More details can be found on http://www.securityfocus.com/archive/1/203000 . As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote root compromise on Debian systems; the 'telnetd' user can be compromised.

Alban Hertroys found a buffer overflow in Window Maker (a popular window manager for X). The code that handles titles in the window list menu did not check the length of the title when copying it to a buffer. Since applications will set the title using untrusted data (for example web browsers will set the title of their window to the title of the web-page being shown) this could be exploited remotely.

The Horde team released version 2.2.6 of IMP (a web based IMAP mail program) which fixes three security problems. Their release announcement describes them as follows:

Zenith Parse found a security problem in groff (the GNU version of troff). The pic command was vulnerable to a printf format attack which made it possible to circumvent the -S option and execute arbitrary code.

The telnet daemon contained in the netkit-telnet_0.16-4potato1 package in the 'stable' (potato) distribution of Debian GNU/Linux is vulnerable to an exploitable overflow in its output handling. The original bug was found by <scut@nb.in-berlin.de>, and announced to bugtraq on Jul 18 2001. At that time, netkit-telnet versions after 0.14 were not believed to be vulnerable. On Aug 10 2001, zen-parse posted an advisory based on the same problem, for all netkit-telnet versions below 0.17. More details can be found on http://www.securityfocus.com/archive/1/203000 . As Debian uses the 'telnetd' user to run in.telnetd, this is not a remote root compromise on Debian systems; the 'telnetd' user can be compromised.

Salvatore Sanfilippo found two remotely exploitable problems in fetchmail while doing a security audit. In both the imap and pop3 code the input is not verified and used to store a number in an array. Since no bounds checking is done this can be used by an attacker to write arbitrary data in memory. An attacker can use this if we can get a user to transfer mail from a custom imap or pop3 server he controls.

New telnet, telnet-server packages are available for Red Hat Linux 5.2, 6.2, 7.0 and 7.1. These packages fix a problem where buffer overflows can provide root access to local users. It is recommended that all users update to the fixed packages.

Updated openldap packages are now available for Red Hat Linux 6.2, 7, and 7.1. These packages include fixes for problems which could allow a malicious remote user to crash a server.

The version of xloadimage (a graphics files viewer for X) that was shipped in Debian GNU/Linux 2.2 has a buffer overflow in the code that handles FACES format images. This could be exploited by an attacker by tricking someone into viewing a specially crafted image using xloadimage which would allow him to execute arbitrary code.

CERT released their advisory CA-2001-18 which lists a number of vulnerabilities in various LDAP implementations. based on the results of the PROTOS LDAPv3 test suite. These tests found one problem in OpenLDAP, a free LDAP implementation that is shipped as part of Debian GNU/Linux 2.2.

Cda, a setuid commandline part of xmcd, a X11/Motif audio CD player by Ti Kan <ti@amb.org>, was found vulnerable by a link attack and some bufferoverflows. These bugs could be exploited by an adversary, who has access to the system, to overwrite files or gain higher privileges.

We have received reports that the 'apache' http daemon, as included in the Debian 'stable' distribution, is vulnerable to the 'artificially long slash path directory listing vulnerability' as described in http://www.securityfocus.com/vdb/bottom.html?vid=2503 .

xli, aka xloadimage, a image viewer for X11 is used by Netscape's plugger to display TIFF-, PNG- and Sun-Raster-images. The plugger configuration file is /etc/pluggerrc. Due to missing boundary checks in the xli code a buffer overflow could be triggered by an external attacker to execute commands on the victim's system. An exploit is publically available.

New squid packages are available for Red Hat Linux 7.0 that fix a possible security problem with Squid's HTTP accelerator feature. If Squid was configured in accelerator-only mode, it was possible for remote users to portscan machines through the Squid proxy, potentially allowing for access to machines not otherwise available. It is recommended that users who use Squid in accelerator-only mode update to the fixed packages. Note that Red Hat Linux 7.1 is not affected by this vulnerability, nor are releases prior to Red Hat Linux 7.0.

Procmail, an autonomous mail processor, as shipped in Red Hat Linux 5.2, 6.2, 7, and 7.1, handles signals unsafely.

Updated openssl packages are now available for Red Hat Linux 6.x and 7. These packages include security-related changes made in OpenSSL 0.9.6a and 0.9.6b which have been backported to previous versions released for Red Hat Linux. In addition, this advisory provides OpenSSL 0.9.6 packages for Red Hat Linux 7, which may be used by future updates to both Red Hat Linux 7 and Red Hat Linux 7.1.