Date: Wed, 29 Mar 2006 16:39:15 -0700
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #279
SecurityFocus Linux Newsletter #279
----------------------------------------
Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your
network and provide you with the necessary fixes to proactively guard
your network. Try QualysGuard Risk Free with No Obligation.
http://www.securityfocus.com/cgi-bin/ib.pl
------------------------------------------------------------------
I. FRONT AND CENTER
1. Security Czar
2. Learning an advanced skillset
II. LINUX VULNERABILITY SUMMARY
1. PHPWebSite Multiple SQL Injection Vulnerabilities
2. cURL / libcURL TFTP URL Parser Buffer Overflow Vulnerability
3. X.Org X Window Server Local Privilege Escalation
Vulnerability
4. FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability
5. Linux Kernel Netfilter Do_Replace Local Buffer Overflow
Vulnerability
6. RunIt CHPST Privilege Escalation Vulnerability
7. Util-VServer Unknown Linux Capabilities Vulnerability
8. SNMPTRAPFMT Insecure Temporary File Creation Vulnerability
9. Sendmail Asynchronous Signal Handling Remote Code Execution
Vulnerability
10. Beagle Insecure Path Arbitrary Code Execution Vulnerability
11. RealNetworks Multiple Products Multiple Buffer Overflow
Vulnerabilities
12. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure
Vulnerabilities
13. Linux Kernel Get_Compat_Timespec and PTrace Local Denial Of
Service Vulnerabilities
14. Gentoo Nethack And Variants Local Privilege Escalation
Vulnerability
15. Vavoom Multiple Denial of Service Vulnerabilities
16. Noah Grey Greymatter Arbitrary File Upload Vulnerability
17. Debian GNU/Linux Multiple Packages Insecure RUNPATH
Vulnerability
18. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
19. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation
Vulnerability
III. LINUX FOCUS LIST SUMMARY
1. Systrace 1.6: Phoenix Release for Linux
2. Libnids
V. SPONSOR INFORMATION
I. FRONT AND CENTER
---------------------
1. Security Czar
By Scott Granneman
In this column Scott Granneman takes the role of dictator of the
security world and presents his ideas about mandatory reforms that would
improve security for millions of people.
http://www.securityfocus.com/columnists/394
2. Learning an advanced skillset
By Don Parker
The purpose of this article is to guide network security analysts
towards learning the advanced skillset required to help further their
careers. We'll look at two key pillars of knowledge, protocols and
programming, and why they're both so important in the security field.
http://www.securityfocus.com/infocus/1861
II. LINUX VULNERABILITY SUMMARY
------------------------------------
1. PHPWebSite Multiple SQL Injection Vulnerabilities
BugTraq ID: 17150
Remote: Yes
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17150
Summary:
phpWebSite is prone to multiple SQL-injection vulnerabilities. These
issues are due to a failure in the application to properly sanitize
user-supplied input before using it in SQL queries.
A successful exploit could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.
2. cURL / libcURL TFTP URL Parser Buffer Overflow Vulnerability
BugTraq ID: 17154
Remote: Yes
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17154
Summary:
cURL and libcURL are prone to a buffer-overflow vulnerability. This
issue is due to a failure in the library to perform proper bounds checks
on user-supplied data before using it in a finite-sized buffer.
The issue occurs when the URL parser handles an excessively long URL
string with a TFTP protocol prefix 'tftp://'.
An attacker can exploit this issue to crash the affected library,
effectively denying service. Arbitrary code execution may also be possible,
which may facilitate a compromise of the underlying system.
3. X.Org X Window Server Local Privilege Escalation Vulnerability
BugTraq ID: 17169
Remote: No
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17169
Summary:
The X.Org X Window server is prone to a privilege-escalation
vulnerability.
A local attacker can exploit this issue to load arbitrary modules and
execute them or overwrite arbitrary files with superuser privileges.
This may facilitate a complete compromise of the affected computer.
4. FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability
BugTraq ID: 17171
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17171
Summary:
FreeRADIUS is prone to an authentication-bypass vulnerability. The
issue exists in the EAP-MSCHAPv2 state machine. Bypassing authentication
could also cause the server to crash.
FreeRADIUS versions from 1.0.0 to 1.1.0 are vulnerable.
5. Linux Kernel Netfilter Do_Replace Local Buffer Overflow
Vulnerability
BugTraq ID: 17178
Remote: No
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17178
Summary:
The Linux kernel is susceptible to a local buffer-overflow
vulnerability. This issue is due to the kernel's failure to properly bounds-check
user-supplied input before using it in a memory copy operation.
This issue allows local attackers to overwrite kernel memory with
arbitrary data, potentially allowing them to execute malicious machine code
in the context of affected kernels. This vulnerability facilitates the
complete compromise of affected computers.
This issue is exploitable only by local users who have superuser
privileges or have the CAP_NET_ADMIN capability. This issue is therefore a
security concern only if computers run virtualization software that
allows users to have superuser access to guest operating systems or if the
CAP_NET_ADMIN capability is given to untrusted users.
Linux kernel versions prior to 2.6.16 in the 2.6 series are affected by
this issue.
6. RunIt CHPST Privilege Escalation Vulnerability
BugTraq ID: 17179
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17179
Summary:
Runit is susceptible to a local privilege-escalation vulnerability.
This issue is due to a flaw in the 'chpst' utility that results in
programs gaining unintended, elevated group privileges.
This issue will have varying consequences depending on the nature of
programs executed by the affected utility. Attackers exploiting latent
vulnerabilities in applications may gain access to elevated group
privileges.
Runit versions prior to 1.4.1 are affected by this issue. This affects
only packages that are compiled with 16-bit gid_t types (such as when
compiled with dietlibc).
7. Util-VServer Unknown Linux Capabilities Vulnerability
BugTraq ID: 17180
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17180
Summary:
The util-vserver package for the Linux-VServer project is susceptible
to an unknown Linux capability vulnerability. The package fails to
properly handle unknown Linux capabilities.
The exact consequences of this issue are currently unknown. They depend
on the nature of the unknown capabilities and on the nature of the
applications that use them. Hosted virtual servers may possibly gain
inappropriate access to the hosting operating system.
8. SNMPTRAPFMT Insecure Temporary File Creation Vulnerability
BugTraq ID: 17182
Remote: No
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17182
Summary:
The 'snmptrapfmt' package creates temporary files in an insecure
manner. This may allow a local attacker to perform symbolic-link attacks.
Successful exploits may cause sensitive data or configuration files to
be overwritten. This may result in a denial of service; other attacks
may also be possible.
9. Sendmail Asynchronous Signal Handling Remote Code Execution
Vulnerability
BugTraq ID: 17192
Remote: Yes
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17192
Summary:
Sendmail is prone to a remote code-execution vulnerability.
Remote attackers may leverage this issue to execute arbitrary code with
the privileges of the application, which typically runs as superuser.
Sendmail versions prior to 8.13.6 are vulnerable to this issue.
10. Beagle Insecure Path Arbitrary Code Execution Vulnerability
BugTraq ID: 17195
Remote: No
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17195
Summary:
Beagle is susceptible to an insecure path vulnerability that can lead
to arbitrary code execution.
This issue can allow attackers to place malicious code in a publicly
writeable directory and can cause the code to be executed by beagle
wrapper scripts. This would result in the execution of arbitrary code with
the privileges of the user running the vulnerable application.
11. RealNetworks Multiple Products Multiple Buffer Overflow
Vulnerabilities
BugTraq ID: 17202
Remote: Yes
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17202
Summary:
Various RealNetworks products are prone to multiple buffer-overflow
vulnerabilities.
These issues can result in memory corruption and facilitate arbitrary
code execution. A successful attack can allow remote attackers to
execute arbitrary code in the context of the application to gain unauthorized
access.
12. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure
Vulnerabilities
BugTraq ID: 17203
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17203
Summary:
The Linux kernel is affected by local memory-disclosure
vulnerabilities. These issues are due to the kernel's failure to properly clear
previously used kernel memory before returning it to local users.
These issues allow an attacker to read kernel memory and potentially
gather information to use in further attacks.
13. Linux Kernel Get_Compat_Timespec and PTrace Local Denial Of Service
Vulnerabilities
BugTraq ID: 17216
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17216
Summary:
Two local denial-of-service vulnerabilities affect the Linux kernel.
These issues are platform specific. The 'get_compat_timespec()' issue
affects only the SPARC architecture; the 'ptrace()' issue affects only the
ia64 architecture.
Local attackers may exploit these vulnerabilities to trigger a kernel
crash, denying service to legitimate users.
14. Gentoo Nethack And Variants Local Privilege Escalation
Vulnerability
BugTraq ID: 17217
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17217
Summary:
Nethack and its variant versions are prone to a local
privilege-escalation vulnerability. The issue results from a design error.
A local attacker can leverage this issue to exploit latent
vulnerabilities in applications by overwriting shared game data files.
15. Vavoom Multiple Denial of Service Vulnerabilities
BugTraq ID: 17261
Remote: Yes
Date Published: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/17261
Summary:
Vavoom is prone to two denial-of-service vulnerabilities. These issues
can cause the application to stop responding or fail.
Vavoom 1.19.1 and earlier are affected.
16. Noah Grey Greymatter Arbitrary File Upload Vulnerability
BugTraq ID: 17271
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17271
Summary:
Greymatter is prone to an arbitrary file-upload vulnerability.
An attacker can exploit this vulnerability to upload arbitrary code and
execute it in the context of the webserver process. This may facilitate
unauthorized access or privilege escalation; other attacks are also
possible.
17. Debian GNU/Linux Multiple Packages Insecure RUNPATH Vulnerability
BugTraq ID: 17288
Remote: No
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17288
Summary:
Multiple packages in Debian GNU/Linux are susceptible to an insecure
RUNPATH vulnerability. This issue is due to a flaw in the build system
that results in insecure RUNPATHs being included in certain binaries.
This vulnerability may result in arbitrary code being executed in the
context of users who run the vulnerable executables. This may facilitate
privilege escalation.
18. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
BugTraq ID: 17294
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17294
Summary:
FreeRADIUS is prone to an SQL-injection vulnerability. This issue is
due to a failure in the application to properly sanitize user-supplied
input before using it in an SQL query.
Successful exploitation could allow an attacker to compromise the
application, access or modify data, or exploit vulnerabilities in the
underlying database implementation.
19. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation
Vulnerability
BugTraq ID: 17308
Remote: No
Date Published: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17308
Summary:
Tetris-BSD is prone to a local privilege-escalation vulnerability. The
issue results from a design error.
A local attacker can leverage this issue to exploit latent
vulnerabilities in applications by overwriting shared game data files.
III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Systrace 1.6: Phoenix Release for Linux
http://www.securityfocus.com/archive/91/428672
2. Libnids
http://www.securityfocus.com/archive/91/428026
V. SPONSOR INFORMATION
------------------------
Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your
network and provide you with the necessary fixes to proactively guard
your network. Try QualysGuard Risk Free with No Obligation.
http://www.securityfocus.com/cgi-bin/ib.pl