[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sun] Schwachstellen in bzip2 bis Version 1.0.2 - 103118

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [Sun] Schwachstellen in bzip2 bis Version 1.0.2 - 103118
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Wed, 17 Oct 2007 11:36:37 +0200 (CEST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5

Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2005-0953 - Race condition in bzip2 bis Version 1.0.2

  Durch eine Race Condition Schwachstelle in bzip2 kann ein lokaler
  Angreifer einen Symlink Angriff auf eine Datei durchfuehren, die
  gerade mit bzip2 entpackt wird und deren Berechtigungen nach der
  Dekomprimierung von bzip2 veraendert wird. Einem Angreifer ist es
  dadurch moeglich, die Berechtigungen von Dateien des Benutzers zu
  aendern.

CVE-2005-1260 - Denial of Service durch Schwachstelle in bzip2

  Ein Fehler in bzip2 verursacht eine Endlosschleife im Programm, wenn
  mit bzip2 auf eine speziell aufgebaute, komprimierte Datei zugegriffen
  wird. Als Folge wird eine Ausgabedatei erzeugt, die immer weiter
  waechst, bis der Plattenplatz auf der betreffenden Partition
  aufgebraucht ist. Ein entfernter Angreifer kann dies fuer einen Denial
  of Service Angriff ausnutzen, indem er dem Opfer eine solche Datei per
  Mail schickt oder im Web anbietet und dieses dann mit einer
  verwundbaren bzip2-Version darauf zugreift.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Programm bzip2

  SPARC Plattform
   * Solaris 8
   * Solaris 9 ohne Patch 114586-02
   * Solaris 10 ohne Patch 126868-01
  
  x86 Plattform
   * Solaris 8
   * Solaris 9 ohne Patch 114587-02
   * Solaris 10 ohne Patch 126869-02

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-103118-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
	Jan Kohlrausch
- -- 
Jan Kohlrausch (CSIRT), Phone +49 40 808077-555

DFN-CERT Services GmbH, https://www.dfn-cert.de,  Phone  +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805,  Ust-IdNr.:  DE 232129737
Heidenkampsweg 41, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski


Sun(sm) Alert Notification
     * Sun Alert ID: 103118
     * Synopsis: Two Security Vulnerabilities in the bzip2(1) Command may Allow
       the Permissions of Arbitrary Files to be Modified or Allow for
       Arbitrarily Large Files to be Created
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System,
       Solaris 8 Operating System
     * BugIDs: 6353235
     * Avoidance: Patch, Workaround
     * State: Workaround
     * Date Released: 16-Oct-2007
     * Date Closed:
     * Date Modified:

1. Impact

   A security vulnerability in the bzip2(1) command may allow a local
   unprivileged user to be able to read or modify files owned by another local
   user who invokes bzip2(1) to either compress or decompress files in a world
   writable directory. This could include system files if bzip2(1) is issued by
   a privileged user. [CVE-2005-0953]

   A second security vulnerability in the bzip2(1) command may allow
   arbitrarily large files to be created when decompressing specially crafted
   bzip2(1) archives which may exhaust disk space and could cause a Denial of
   service (DoS). [CVE-2005-1260]

   These issues are described in the following documents:

   CVE-2005-0953 at:
     * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0953

   CVE-2005-1260 at:
     * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1260

2. Contributing Factors

   These issues can occur in the following releases:

   SPARC Platform
     * Solaris 8
     * Solaris 9 without patch 114586-02
     * Solaris 10 without patch 126868-01

   x86 Platform
     * Solaris 8
     * Solaris 9 without patch 114587-02
     * Solaris 10 without patch 126869-02

   Note 1: The file modification issue (CVE-2005-0953) only affects versions of
   bzip2(1) prior to 1.0.4.

   Note 2: The arbitrarily large file issue (CVE-2005-1260) only affects
   versions of bzip2(1) prior to 1.0.3.

   Note 3: The version of bzip2(1) on a system can be determined by running the
   following command:
    $ bzip2 --version
    bzip2, a block-sorting file compressor.  Version 1.0.4, 20-Dec-2006.
    [...]


3. Symptoms

   If the file modification issue (CVE-2005-0953) has occurred, one or more
   files owned by the user who issued the bzip2(1) command would have their
   permissions changed.

   The symptom of the arbitrarily large file issue (CVE-2005-1260) is the
   bzip2(1) command taking a long amount of time and the output file
   continuously growing in size.
   Solution Summary Top

4. Relief/Workaround

   The file modification issue (CVE-2005-0953) can be avoided by not
   compressing or decompressing files using bzip2(1) in world writable
   directories.

   The arbitrarily large file issue (CVE-2005-1260) can be avoided by only
   decompressing bzip2(1) files from trusted sources.

5. Resolution

   These issues are addressed in the following releases:

   SPARC Platform
     * Solaris 9 with patch 114586-02 or later
     * Solaris 10 with patch 126868-01 or later

   x86 Platform
     * Solaris 9 with patch 114587-02 or later
     * Solaris 10 with patch 126869-02 or later

   A final resolution is pending completion.

   This Sun Alert notification is being provided to you on an "AS IS" basis.
   This Sun Alert notification may contain information provided by third
   parties. The issues described in this Sun Alert notification may or may not
   impact your system(s). Sun makes no representations, warranties, or
   guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
   HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
   IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
   CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
   INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
   proprietary and confidential information. It is being provided to you
   pursuant to the provisions of your agreement to purchase services from Sun,
   or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
   Alert notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRxXXpRYd1iQZmhQQAQFMEAgAqPXZmeae0Pofnen2a+VN/RNHtnjDbZ99
gcD9EWfC2QSvY99RJzT8qHsFQIoFb202TBOgkTOCA9RBHJuvWChEVA33Xsq9vDb5
/xIzC6dnSFf8tQcOUXJikOdHKmMNOGrcFDSy14XkQPZcdc9RhbJsaY1zyiJPoV6I
lWCqSx78qfLWH3hbaLV5hugfqRTr7ZD0LfsniQWQX63Os8Xa5ifcUzirWajs5DeO
TrpGWa9XyJWpbd5yxYmMopbU6Hz9MFYnB1JMTqEKTQZmjR42ujwz56Ps09AafIcT
bXVFjmF304M17dbhVCVCFV5sp3VWrHnOEjrlVBdWoPM/fmmsu2eniw==
=IHb4
-----END PGP SIGNATURE-----

Prev by Date: [RedHat] Schwachstellen im Sun Java Runtime Environment Version 1.5.0 vor Update 12 - RHSA-2007:0956-01
Next by Date: [Sun] UPDATE: Schwachstelle in StarOffice/OpenOffice.org vor Version 2.3 - 102994
Previous by thread: [RedHat] Schwachstellen im Sun Java Runtime Environment Version 1.5.0 vor Update 12 - RHSA-2007:0956-01
Next by thread: [Sun] UPDATE: Schwachstelle in StarOffice/OpenOffice.org vor Version 2.3 - 102994
Index(es):
- Date
- Thread