[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 145/04 - Five Gentoo Security Advisories



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 145/04 dated 30.03.04  Time: 10:50  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Five Gentoo Security Advisories:

1. UUDeview MIME Buffer Overflow.

2. Multiple remote buffer overflow vulnerabilities in Courier.

3. Multiple remote overflows and vulnerabilities in Ethereal.

4. oftpd DoS vulnerability.

5. Buffer overflow in Midnight Commander.



Detail
====== 

1. By decoding a MIME archive with excessively long strings for various parameters, 
it is possible to crash UUDeview, or cause it to execute arbitrary code.

2. Remote buffer overflow vulnerabilites have been found in Courier-IMAP and Courier 
MTA. These exploits may allow the execution of abritrary code, allowing unauthorized 
access to a vulnerable system.

3. Mulitple overflows and vulnerabilities exist in Ethereal which may allow an attacker
to crash the program or run arbitrary code.

4. A remotely-exploitable overflow exists in oftpd, allowing an attacker to crash the
oftpd daemon.

5. A remotely-exploitable buffer overflow in Midnight Commander allows arbitrary code 
to be run on a user's computer





1.  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~                                            http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

~  Severity: Normal
~     Title: UUDeview MIME Buffer Overflow
~      Date: March 26, 2004
~      Bugs: #44859
~        ID: 200403-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A specially-crafted MIME file (.mim, .uue, .uu, .b64, .bhx, .hqx, and .xxe extensions) may cause UUDeview to crash or execute arbitrary code.

Background
==========

UUDeview is a program which is used to transmit binary files over the Internet in a text-only format. It is commonly used for email and Usenet attachments. It supports multiple encoding formats, including Base64, BinHex and UUEncoding.

Description
===========

By decoding a MIME archive with excessively long strings for various parameters, it is possible to crash UUDeview, or cause it to execute arbitrary code.

This vulnerability was originally reported by iDEFENSE as part of a WinZip advisory [ Reference: 1 ].

Impact
======

An attacker could create a specially-crafted MIME file and send it via email. When recipient decodes the file, UUDeview may execute arbitrary code which is embedded in the MIME file, thus granting the attacker access to the recipient's account.

Workaround
==========

All users should upgrade to UUDeview 0.5.20:

~    # emerge sync
~    # emerge -pv ">=app-text/uudeview-0.5.20"
~    # emerge ">=app-text/uudeview-0.5.20"

References
==========

~  [ 1 ] http://www.idefense.com/application/poi/display?id=76
~  [ 2 ] http://www.securityfocus.com/bid/9758

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.




2. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Multiple remote buffer overflow vulnerabilities in Courier
      Date: March 26, 2004
      Bugs: #45584
        ID: 200403-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Remote buffer overflow vulnerabilites have been found in Courier-IMAP and Courier MTA. These exploits may allow the execution of abritrary code, allowing unauthorized access to a vulnerable system.

Background
==========

Courier MTA is a multiprotocol mail server suite that provides webmail, mailing lists, IMAP, and POP3 services. Courier-IMAP is a standalone server that gives IMAP access to local mailboxes.

Affected packages
=================

    -------------------------------------------------------------------
     Package                /   Vulnerable   /              Unaffected
    -------------------------------------------------------------------
     net-mail/courier-imap        < 3.0.0                     >= 3.0.0
     net-mail/courier             < 0.45                       >= 0.45

Description
===========

The vulnerabilities have been found in the 'SHIFT_JIS' converter in 'shiftjis.c' and 'ISO2022JP' converter in 'so2022jp.c'. An attacker may supply Unicode characters that exceed BMP (Basic Multilingual Plane) range, causing an overflow.

Impact
======

An attacker without privileges may exploit this vulnerability remotely, allowing arbitrary code to be executed in order to gain unauthorized access.

Workaround
==========

While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected packages.

Resolution
==========

All users should upgrade to the current version of the affected
packages:

    # emerge sync

    # emerge -pv ">=net-mail/courier-imap-3.0.0"
    # emerge ">=net-mail/courier-imap-3.0.0"

    # ** Or; depending on your installation... **

    # emerge -pv ">=net-mail/courier-0.45"
    # emerge ">=net-mail/courier-0.45"

References
==========

  [ 1 ] http://www.securityfocus.com/bid/9845
  [ 2 ] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0224

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.




3. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-07
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Multiple remote overflows and vulnerabilities in Ethereal
      Date: March 28, 2004
      Bugs: #45543
        ID: 200403-07

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Mulitple overflows and vulnerabilities exist in Ethereal which may allow an attacker to crash the program or run arbitrary code.

Background
==========

Quote from http://www.ethereal.com

"Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product. Its open source license allows talented experts in the networking community to add enhancements. It runs on all popular computing platforms, including Unix, Linux, and Windows."

Affected packages
=================

    -------------------------------------------------------------------
     Package                /   Vulnerable   /              Unaffected
    -------------------------------------------------------------------
     net-analyzer/ethereal       <= 0.10.2                   >= 0.10.3

Description
===========

There are multiple vulnerabilities in versions of Ethereal earlier than 0.10.3, including:

* Thirteen buffer overflows in the following protocol dissectors:
  NetFlow, IGAP, EIGRP, PGM, IrDA, BGP, ISUP, and TCAP.

* A zero-length Presentation protocol selector could make Ethereal
  crash.

* A vulnerability in the RADIUS packet dissector which may crash
  ethereal.

* A corrupt color filter file could cause a segmentation fault.

Impact
======

These vulnerabilities may cause Ethereal to crash or may allow an attacker to run arbitrary code on the user's computer.

Workaround
==========

While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected package.

Resolution
==========

All users should upgrade to the current version of the affected
package:

    # emerge sync

    # emerge -pv ">=net-analyzer/ethereal-0.10.3"
    # emerge ">=net-analyzer/ethereal-0.10.3"

References
==========

  [ 1 ] http://www.ethereal.com/appnotes/enpa-sa-00013.html
  [ 2 ] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0176
  [ 3 ] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0365
  [ 4 ] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0367

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.




4.  - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: oftpd DoS vulnerability
      Date: March 29, 2004
      Bugs: #45738
        ID: 200403-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A remotely-exploitable overflow exists in oftpd, allowing an attacker to crash the oftpd daemon.

Background
==========

Quote from http://www.time-travellers.org/oftpd/

"oftpd is designed to be as secure as an anonymous FTP server can possibly be. It runs as non-root for most of the time, and uses the Unix chroot() command to hide most of the systems directories from external users - they cannot change into them even if the server is totally compromised! It contains its own directory change code, so that it can run efficiently as a threaded server, and its own directory listing code (most FTP servers execute the system "ls" command to list files)."

Affected packages
=================

    -------------------------------------------------------------------
     Package        /   Vulnerable   /                      Unaffected
    -------------------------------------------------------------------
     net-ftp/oftpd       <= 0.3.6                             >= 0.3.7

Description
===========

Issuing a port command with a number higher than 255 causes the server to crash. The port command may be issued before any authentication takes place, meaning the attacker does not need to know a valid username and password in order to exploit this vulnerability.

Impact
======

This exploit causes a denial of service.

Workaround
==========

While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected package.

Resolution
==========

All users should upgrade to the current version of the affected
package:

    # emerge sync

    # emerge -pv ">=net-ftp/oftpd-0.3.7"
    # emerge ">=net-ftp/oftpd-0.3.7"

References
==========

  [ 1 ] http://www.time-travellers.org/oftpd/oftpd-dos.html

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.





5. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200403-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                             http://security.gentoo.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Buffer overflow in Midnight Commander
      Date: March 29, 2004
      Bugs: #45957
        ID: 200403-09

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A remotely-exploitable buffer overflow in Midnight Commander allows arbitrary code to be run on a user's computer

Background
==========

Midnight Commander is a visual file manager.

Affected packages
=================

    -------------------------------------------------------------------
     Package      /    Vulnerable    /                        Unaffected
    -------------------------------------------------------------------
     app-misc/mc       <= 4.6.0-r4                           >= 4.6.0-r5

Description
===========

A stack-based buffer overflow has been found in Midnight Commander's virtual filesystem.

Impact
======

This overflow allows an attacker to run arbitrary code on the user's computer during the symlink conversion process.

Workaround
==========

While a workaround is not currently known for this issue, all users are advised to upgrade to the latest version of the affected package.

Resolution
==========

All users should upgrade to the current version of the affected
package:

    # emerge sync

    # emerge -pv ">=app-misc/mc-4.6.0-r5"
    # emerge ">=app-misc/mc-4.6.0-r5"

References
==========

  [ 1 ] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-1023

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.


- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Gentoo for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQGlC7Ipao72zK539AQElvAQAsFjGh+VF5cI4PrFdhbof4tBss8C2+29k
lreIbuptBrgYllfCG3lsnM37GO1FoPdr4D+70mHfBDpyy42CNc5ntkvLvwWOQYEA
JACQN8TpLXaZV+15/nsm5/mk1cQvXL9b/iBTkFcFHtgkwYKnffJr5vSZlXZ+kZ/9
muNcCidAGuk=
=RcNy
-----END PGP SIGNATURE-----