[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 270/04 - Three Debian Security Advisories:



----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 270/04 dated 04.06.04  Time: 14:30  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
----------------------------------------------------------------------------------

Title
=====

Three Debian Security Advisories:

1. New gallery packages fix unauthenticated access

2. New rsync packages fix directory traversal bug

3. New log2mail packages fix format string vulnerabilities




Detail
====== 


1. A vulnerability was discovered in gallery, a web-based photo album written in php, 
whereby a remote attacker could gain access to the gallery "admin" user without proper 
authentication.  No CVE candidate was available for this vulnerability at the time of release.


2. A vulnerability was discovered in rsync, a file transfer program, whereby a remote user 
could cause an rsync daemon to write files outside of the intended directory tree.  This 
vulnerability is not exploitable when the daemon is configured with the 'chroot' option.


3. jaguar@xxxxxxxxxxxxxxxx discovered a format string vulnerability in log2mail, whereby 
a user able to log a specially crafted message to a logfile monitored by log2mail 
(for example, via syslog) could cause arbitrary code to be executed with the privileges 
of the log2mail process. 





1.




===========================================================================
             
            ESB-2004.0381 -- Debian Security Advisory DSA 512-1
              New gallery packages fix unauthenticated access
                               04 June 2004

===========================================================================

        

Product:                gallery
Publisher:              Debian
Operating System:       Debian GNU/Linux 3.0
                        Linux variants
Impact:                 Inappropriate Access
Access Required:        Remote

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 512-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Matt Zimmerman
June 2nd, 2004                          http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : gallery
Vulnerability  : unauthenticated access
Problem-Type   : remote
Debian-specific: no

A vulnerability was discovered in gallery, a web-based photo album written in php, 
whereby a remote attacker could gain access to the gallery "admin" user without 
proper authentication.  No CVE candidate was available for this vulnerability at 
the time of release.

For the current stable distribution (woody), these problems have been fixed in 
version 1.2.5-8woody2.

For the unstable distribution (sid), these problems have been fixed in 
version 1.4.3-pl2-1.

We recommend that you update your gallery package.

Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2.dsc
      Size/MD5 checksum:      573 1369280ce34db40a941ef4fae6f107a5
    http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2.diff.gz
      Size/MD5 checksum:     7575 109d81ad481a7b6a197b5dd5b2a3eeaf
    http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5.orig.tar.gz
      Size/MD5 checksum:   132099 1a32e57b36ca06d22475938e1e1b19f9

  Architecture independent components:

    http://security.debian.org/pool/updates/main/g/gallery/gallery_1.2.5-8woody2_all.deb
      Size/MD5 checksum:   137412 ebae6be30fe04acb993da74c9f54dcf0

  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: 
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: 
debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAvg5kArxCt0PiXR4RAkWQAJ0beIP5URU0Wtz6oS21R35UniV8wwCgxUd2
SjSIIooMEHZjCAK2Lyxuc78=
=x+ya
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------
iQCVAwUBQL/Ybyh9+71yA2DNAQI5rgP/fTCFSI5WqhzraApx8INNwqGDn+YUmG/4
k6EqS+qg5hIOhmgRTHWJwueebqwsggLJWkMcBoSYs18NeLSoxw2cyMkYTlXsUjfj
qYZIgYWoK67KOVNxnLtayXnbE1oiTXka0OfEoXWAq56ftwcNEg9xBx6i9IdFWO86
2kAurHLlbDI=
=BsGn
-----END PGP SIGNATURE-----




2.




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             
            ESB-2004.0382 -- Debian Security Advisory DSA 499-2
              New rsync packages fix directory traversal bug
                               04 June 2004

===========================================================================

        

Product:                rsync
Publisher:              Debian
Operating System:       Debian GNU/Linux 3.0
                        Linux variants
Impact:                 Overwrite Arbitrary Files
Access Required:        Remote
CVE Names:              CAN-2004-0426

Ref:                    ESB-2004.0316

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 499-2                     security@xxxxxxxxxx
http://www.debian.org/security/                             Matt Zimmerman
June 2nd, 2004                          http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : rsync
Vulnerability  : directory traversal
Problem-Type   : remote
Debian-specific: no
CVE Ids        : CAN-2004-0426

A vulnerability was discovered in rsync, a file transfer program, whereby a remote 
user could cause an rsync daemon to write files outside of the intended directory tree.  
This vulnerability is not exploitable when the daemon is configured with the 'chroot' option.

This update includes an additional fix related to the original vulnerability.

For the current stable distribution (woody) this problem has been fixed in version 2.5.5-0.5.

For the unstable distribution (sid), this problem has been fixed in version 2.6.1-1.

We recommend that you update your rsync package.

Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5.dsc
      Size/MD5 checksum:      545 94568a0080459dd6d8d84470a462b7dc
    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5.diff.gz
      Size/MD5 checksum:    92695 66730a221c5d2d175ea9f58b0a1bac86
    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5.orig.tar.gz
      Size/MD5 checksum:   415156 39d76c62684750842d3884a77c2e5466

  Alpha architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_alpha.deb
      Size/MD5 checksum:   227712 cc3046698f1aa151efdccc1dce1cb9f4

  ARM architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_arm.deb
      Size/MD5 checksum:   206610 2cbcbb999e404b8d65167fe1dc540c52

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_i386.deb
      Size/MD5 checksum:   194854 62116c48c3ed4d29e110b35b92046761

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_ia64.deb
      Size/MD5 checksum:   255716 90e274e9a84ab1703fe36bffee656712

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_hppa.deb
      Size/MD5 checksum:   214430 0e0ec89aeeb8e24335b1f8baf933bc6d

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_m68k.deb
      Size/MD5 checksum:   190008 9ac8acc88490fd3337a1a588702f0a2c

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_mips.deb
      Size/MD5 checksum:   216470 fca9b734baf43b434e0bae182b879a6a

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_mipsel.deb
      Size/MD5 checksum:   216746 1ca2e9a76353d4c30f0137cc6c385177

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_powerpc.deb
      Size/MD5 checksum:   205832 c9f08359ae6453e7f31b907aaa7dd960

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_s390.deb
      Size/MD5 checksum:   205090 0f9013705deb8a7c70b3d3a3995b722b

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/r/rsync/rsync_2.5.5-0.5_sparc.deb
      Size/MD5 checksum:   205542 1d8c456c899a37c52cafe20b30f87025

  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: 
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: 
debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAviW/ArxCt0PiXR4RAq0xAJ46Z9xVC71WK7NaO/uvdopuVWueqQCgsnuC
cTAsMUOO2GOoREGty44NEa4=
=nl0I
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------



iQCVAwUBQL/Y/Ch9+71yA2DNAQLdrAP/SFAmEAuB49EkbukGQ0NPPupWxkEW/Zta
kZao9u7OOG+Jau/kj6FWaiAkzchnLFBI/32139E51j8whMPpfAjHolyX2dkxHn6h
FLTFXSsWcl0FVrC9wG66H3/wK0YC9woi9FHLmRtXXAIBVBf1fOcmX1zOlkqGdiYN
VKKEsbSyiOQ=
=C92Y
-----END PGP SIGNATURE-----




3.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

            ESB-2004.0383 -- Debian Security Advisory DSA 513-1
          New log2mail packages fix format string vulnerabilities
                               04 June 2004

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:                log2mail
Publisher:              Debian
Operating System:       Debian GNU/Linux 3.0
                        Linux variants
Impact:                 Execute Arbitrary Code/Commands
Access Required:        Remote
CVE Names:              CAN-2004-0450

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - --------------------------------------------------------------------------
Debian Security Advisory DSA 513-1                     security@xxxxxxxxxx
http://www.debian.org/security/                             Matt Zimmerman
June 3rd, 2004                          http://www.debian.org/security/faq
- - --------------------------------------------------------------------------

Package        : log2mail
Vulnerability  : format string
Problem-Type   : local/remote
Debian-specific: no
CVE Ids        : CAN-2004-0450

jaguar@xxxxxxxxxxxxxxxx discovered a format string vulnerability in log2mail, 
whereby a user able to log a specially crafted message to a logfile monitored by 
log2mail (for example, via syslog) could cause arbitrary code to be executed with 
the privileges of the log2mail process.  By default, this process runs as user 'log2mail', 
which is a member of group 'adm' (which has access to read system logfiles).

CAN-2004-0450: log2mail format string vulnerability via syslog(3) in
printlog()

For the current stable distribution (woody), this problem has been fixed in version 0.2.5.2.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you update your log2mail package.

Upgrade Instructions
- - --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody
- - --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2.dsc
      Size/MD5 checksum:      483 2a1a8392e2e4ef146ad437e8d0abfd3b
    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2.tar.gz
      Size/MD5 checksum:    29532 a593de7eb31e492bcaec9f2cbf0d8c8a

  Alpha architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_alpha.deb
      Size/MD5 checksum:    70318 a09d0a7d8585c1c4845e5fe479e7d94f

  ARM architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_arm.deb
      Size/MD5 checksum:    31408 92dea5294c75b0b3befc50584de55b3a

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_i386.deb
      Size/MD5 checksum:    38750 1ac164fad7f976532b264a9ff5ea4ced

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_ia64.deb
      Size/MD5 checksum:    49242 5704ea6ac083a7f7800b2ac2df8d31db

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_hppa.deb
      Size/MD5 checksum:    44726 9946fba7d6e7d1590073413e282e5aa0

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_m68k.deb
      Size/MD5 checksum:    38700 e6ca7eefcb0adca40309075c14970877

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_mips.deb
      Size/MD5 checksum:    48576 a2a96b0be1b4a8bc83a17db7fa2a51a1

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_mipsel.deb
      Size/MD5 checksum:    47872 bcff2fb39c25c51270e0330fdafa5b87

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_powerpc.deb
      Size/MD5 checksum:    37056 2b8f844e4abf80505823c24dd1f0a7d8

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_s390.deb
      Size/MD5 checksum:    37280 86d660937516c317493412ba005ea2fb

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/l/log2mail/log2mail_0.2.5.2_sparc.deb
      Size/MD5 checksum:    34914 8ba63250986eb25923bcf1229f18bfe7

  These files will probably be moved into the stable distribution on
  its next revision.

- - ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main For dpkg-ftp: 
ftp://security.debian.org/debian-security dists/stable/updates/main Mailing list: 
debian-security-announce@xxxxxxxxxxxxxxxx
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAv2lzArxCt0PiXR4RAnQAAJ0RtKmWRNOvzIM5lYCPvGpUzPt4HwCfbk/r
hTSjw5TcWHIxSatXTd87KjU=
=lhiB
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------


iQCVAwUBQL/ZpCh9+71yA2DNAQIzqAP9F/VBWUu6dXiewD3KQcSOPBxQAzNBa2Hc
aokO91jI4SAi717p/WWTXr1AH2CaM2fUqjlqYcb6Z+ZOoq6eXU/SeQVv2xbZ6Vvt
kUNDL+hQIwe1PRHSDWe3gLUYuPby958NbV9xocAt4JT2T5Y83ACzf0R8jFF5YjZR
fH4sTHZ+qBM=
=6YP9
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Debian the information 
contained in this Briefing. 
----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
----------------------------------------------------------------------------------
<End of UNIRAS Briefing>