Showing all newswire headlines

New elm packages are available for Red Hat Linux 5.2, 6.2, 7 and 7.1. These packages fix a buffer overflow in the message-id handling.

New util-linux packages are available for Red Hat Linux 7.1. These packages fix a problem where vipw would leave the /etc/shadow file world-readable after editing it. It is recommended that all users update to the fixed packages. Also, if you have used vipw on Red Hat Linux 7.1 before, make sure to run (as root): chmod 0400 /etc/shadow

Steven van Acker reported on bugtraq that the version of cfingerd (a configurable finger daemon) as distributed in Debian GNU/Linux 2.2 suffers from two problems:

These updated packages fix a buffer overflow in the faces reader. This is normally not a security problem; however, xloadimage is called by the 'plugger' program from inside Netscape to handle some image types. Hence, a remote site could cause arbitrary code to be executed as the user running Netscape. It is recommended that users of Netscape and plugger update to the fixed xloadimage packages. Plugger was shipped in Red Hat Powertools 6.2; if you have only installed packages from Red Hat Linux 6.2, you are not vulnerable to this exploit.

A vulnerability has been found in xinetd's string handling.

Tkined's Scotty is a Tcl extension to build network management applications. Ntping, a ping/traceroute program, is part of the Scotty package. It's failure is to read a hostname as commandline option without checking the size. This leads to a bufferoverrun, that could be used to gain root privileges, because ntping is installed setuid root and is executeable by everyone.

Zen-parse has reported a bug to Bugtraq which allows remote attackers to overflow a buffer in the logging routine of xinetd. During investigation we found that more problems exist within xinetd. Xinetd provides its own string-handling (snprintf()-like functions) routines and fails to handle length arguments of 0 properly. Instead of an immediate return it assumes 'no limit' for writing characters to the target-buffer. This can lead to overflows and arbitrary remote code-execution. Additionally xinetd now sets the correct umask before starting other deamons. Please update the packages immediately, kill the old deamon and start the new xinetd deamon with the

Michal Zalewski discovered that a remote attacker can write to files owned by root if the samba config file /etc/smb.conf contains the %m macro to specify the logfile for logging access to the samba server. The %m macro substitutes the NetBIOS name - improper validation of this name allows an attacker to write to any file in the system.

New Samba packages are available for Red Hat Linux 5.2, 6.2, 7 and 7.1. These packages fix a security problem with remote clients giving special NetBIOS names to the server. It is recommended that all Samba users upgrade to the fixed packages. Please note that the packages for Red Hat Linux 6.2 require an updated logrotate package.

Michal Zalewski discovered that samba does not properly validate NetBIOS names from remote machines.

New updated XFree86 3.3.6 packages are available for Red Hat Linux 7.1, 7.0, and 6.2 which contain many security updates, bug fixes, and updated drivers for various different families of video hardware including: S3 Savage, S3 Trio64, S3 ViRGE, Intel i810/i815, ATI Rage Mobility Mach64, and numerous other driver fixes and improvements.

A security hole has been found that does not affect the default configuration of Red Hat Linux, but it can affect some custom configurations of Red Hat Linux 7.1. The bug is specific to the Linux

zen-parse reported on bugtraq that there is a possible buffer overflow in the logging code from xinetd. This could be triggered by using a fake identd that returns special replies when xinetd does an ident request.

Samuel Dralet reported on bugtraq that version 2.6.2 of rxvt (a VT102 terminal emulator for X) have a buffer overflow in the tt_printf() function. A local user could abuse this making rxvt print a special string using that function, for example by using the -T or -name command-line options. That string would cause a stack overflow and contain code which rxvt will execute.

The version of GnuPG (GNU Privacy Guard, an OpenPGP implementation) as distributed in Debian GNU/Linux 2.2 suffers from two problems:

Wolfram Kleff found a problem in fetchmail: it would crash when processing emails with extremely long headers. The problem was a buffer overflow in the header parser which could be exploited.

When LPRng drops uid and gid, it fails to drop membership in its supplemental groups.

Luki R. reported a bug in man-db: it did handle nested calls of drop_effective_privs() and regain_effective_privs() correctly which would cause it to regain privileges to early. This could be abused to make man create files as user man.

Megyer Laszlo found a printf format bug in the exim mail transfer agent. The code that checks the header syntax of an email logs an error without protecting itself against printf format attacks.

Updated GnuPG packages are now available for Red Hat Linux 6.2, 7, and 7.1. These updates include fixes for the recently-discovered format string vulnerability.