[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 597/04 - Five Gentoo Security Advisories:



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 597/04 dated 27.10.04  Time: 11:50  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Five Gentoo Security Advisories:

1. GLSA 200410-22 - MySQL: Multiple vulnerabilities

2. GLSA 200410-23 - Gaim: Multiple vulnerabilities

3. GLSA 200410-24 - MIT krb5: Insecure temporary file use in send-pr.sh

4. GLSA 200410-25 - Netatalk: Insecure tempfile handling in etc2ps.sh

5. GLSA 200410-26 - socat: Format string vulnerability


Detail
====== 

1. Several vulnerabilities including privilege abuse, Denial of Service, 
and potentially remote arbitrary code execution have been discovered in MySQL.

2. Multiple vulnerabilities have been found in Gaim which could allow a remote 
attacker to crash the application, or possibly execute arbitrary code.

3. The send-pr.sh script, included in the mit-krb5 package, is vulnerable to 
symlink attacks, potentially allowing a local user to overwrite arbitrary files 
with the rights of the user running the utility.

4. The etc2ps.sh script, included in the Netatalk package, is vulnerable to 
symlink attacks, potentially allowing a local user to overwrite arbitrary files 
with the rights of the user running the utility.

5. socat contains a format string vulnerability that can potentially lead to 
remote or local execution of arbitrary code with the privileges of the socat process.



1.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: MySQL: Multiple vulnerabilities
      Date: October 24, 2004
      Bugs: #67062
        ID: 200410-22

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Several vulnerabilities including privilege abuse, Denial of Service, and potentially 
remote arbitrary code execution have been discovered in MySQL.

Background
==========

MySQL is a popular open-source, multi-threaded, multi-user SQL database server.

Affected packages
=================

    -------------------------------------------------------------------
     Package       /  Vulnerable  /                         Unaffected
    -------------------------------------------------------------------
  1  dev-db/mysql      < 4.0.21                              >= 4.0.21

Description
===========

The following vulnerabilities were found and fixed in MySQL:

Oleksandr Byelkin found that ALTER TABLE ... RENAME checks CREATE/INSERT rights of the 
old table instead of the new one (CAN-2004-0835). Another privilege checking bug allowed 
users to grant rights on a database they had no rights on.

Dean Ellis found a defect where multiple threads ALTERing the MERGE tables to change the 
UNION could cause the server to crash (CAN-2004-0837). Another crash was found 
in MATCH ... AGAINST() queries with missing closing double quote.

Finally, a buffer overrun in the mysql_real_connect function was found by Lukasz 
Wojtow (CAN-2004-0836).

Impact
======

The privilege checking issues could be used by remote users to bypass their rights on 
databases. The two crashes issues could be exploited by a remote user to perform a Denial 
of Service attack on MySQL server. The buffer overrun issue could also be exploited as 
a Denial of Service attack, and may allow to execute arbitrary code with the rights of 
the MySQL daemon (typically, the "mysql" user).

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MySQL users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=dev-db/mysql-4.0.21"
    # emerge ">=dev-db/mysql-4.0.21"

References
==========

  [ 1 ] CAN-2004-0835
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835
  [ 2 ] CAN-2004-0836
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0836
  [ 3 ] CAN-2004-0837
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837
  [ 4 ] Privilege granting bug
        http://bugs.mysql.com/bug.php?id=3933
  [ 5 ] MATCH ... AGAINST crash bug
        http://bugs.mysql.com/bug.php?id=3870

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-22.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security 
of our users machines is of utmost importance to us. Any security concerns should be 
addressed to security@xxxxxxxxxx or alternatively, you may file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



2.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: Gaim: Multiple vulnerabilities
      Date: October 24, 2004
      Bugs: #68271
        ID: 200410-23

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

Multiple vulnerabilities have been found in Gaim which could allow a remote attacker 
to crash the application, or possibly execute arbitrary code.

Background
==========

Gaim is a full featured instant messaging client which handls a variety of instant 
messaging protocols.

Affected packages
=================

    -------------------------------------------------------------------
     Package      /  Vulnerable  /                          Unaffected
    -------------------------------------------------------------------
  1  net-im/gaim       < 1.0.2                                >= 1.0.2

Description
===========

A possible buffer overflow exists in the code processing MSN SLP messages 
(CAN-2004-0891). memcpy() was used without validating the size of the buffer, 
and an incorrect buffer was used as destination under certain circumstances. 
Additionally, memory allocation problems were found in the processing of 
MSN SLP messages and the receiving of files. These issues could lead Gaim 
to try to allocate more memory than available, resulting in the crash of the 
application.

Impact
======

A remote attacker could crash Gaim and possibly execute arbitrary code by 
exploiting the buffer overflow.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Gaim users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-im/gaim-1.0.2"
    # emerge ">=net-im/gaim-1.0.2"

References
==========

  [ 1 ] CAN-2004-0891
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0891
  [ 2 ] Gaim Security Issues
        http://gaim.sourceforge.net/security/

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo 
Security Website:

  http://security.gentoo.org/glsa/glsa-200410-23.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality 
and security of our users machines is of utmost importance to us. Any security 
concerns should be addressed to security@xxxxxxxxxx or alternatively, you may 
file a bug at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



3.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-24
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: MIT krb5: Insecure temporary file use in send-pr.sh
      Date: October 25, 2004
      Bugs: #66359
        ID: 200410-24

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The send-pr.sh script, included in the mit-krb5 package, is vulnerable to 
symlink attacks, potentially allowing a local user to overwrite arbitrary 
files with the rights of the user running the utility.

Background
==========

MIT krb5 is the free implementation of the Kerberos network authentication 
protocol written by the Massachusetts Institute of Technology.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  app-crypt/mit-krb5      <= 1.3.5                      >= 1.3.5-r1
                                                          *>= 1.3.4-r1

Description
===========

The send-pr.sh script creates temporary files in world-writeable directories 
with predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files directory, 
pointing to a valid file somewhere on the filesystem. When send-pr.sh is called, 
this would result in the file being overwritten with the rights of the user 
running the utility, which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MIT krb5 users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=app-crypt/mit-krb5-1.3.4-r1"
    # emerge ">=app-crypt/mit-krb5-1.3.4-r1"

References
==========

  [ 1 ] CAN-2004-0971
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0971

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-24.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and 
security of our users machines is of utmost importance to us. Any security concerns 
should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug 
at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0


4.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-25
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Netatalk: Insecure tempfile handling in etc2ps.sh
      Date: October 25, 2004
      Bugs: #66370
        ID: 200410-25

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

The etc2ps.sh script, included in the Netatalk package, is vulnerable to symlink 
attacks, potentially allowing a local user to overwrite arbitrary files with the 
rights of the user running the utility.

Background
==========

Netatalk is a kernel level implementation of the AppleTalk Protocol Suite, which 
allows Unix hosts to act as file, print, and time servers for Apple computers. It 
includes several script utilities, including etc2ps.sh.

Affected packages
=================

    -------------------------------------------------------------------
     Package          /  Vulnerable  /                      Unaffected
    -------------------------------------------------------------------
  1  net-fs/netatalk     < 1.6.4-r1                        >= 1.6.4-r1

Description
===========

The etc2ps.sh script creates temporary files in world-writeable directories with 
predictable names.

Impact
======

A local attacker could create symbolic links in the temporary files directory, 
pointing to a valid file somewhere on the filesystem. When etc2ps.sh is executed, 
this would result in the file being overwritten with the rights of the user running 
the utility, which could be the root user.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All Netatalk users should upgrade to the latest version:

    # emerge sync

    # emerge -pv ">=net-fs/netatalk-1.6.4-r1"
    # emerge ">=net-fs/netatalk-1.6.4-r1"

References
==========

  [ 1 ] CAN-2004-0974
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0974

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-25.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security 
of our users machines is of utmost importance to us. Any security concerns should be 
addressed to security@xxxxxxxxxx or alternatively, you may file a bug 
at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0



5.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200410-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: socat: Format string vulnerability
      Date: October 25, 2004
      Bugs: #68547
        ID: 200410-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

socat contains a format string vulnerability that can potentially lead to remote or 
local execution of arbitrary code with the privileges of the socat process.

Background
==========

socat is a multipurpose bidirectional relay, similar to netcat.

Affected packages
=================

    -------------------------------------------------------------------
     Package         /  Vulnerable  /                       Unaffected
    -------------------------------------------------------------------
  1  net-misc/socat      < 1.4.0.3                          >= 1.4.0.3

Description
===========

socat contains a syslog() based format string vulnerablility in the '_msg()' function 
of 'error.c'. Exploitation of this bug is only possible when socat is run with the '-ly' 
option, causing it to log messages to syslog.

Impact
======

Remote exploitation is possible when socat is used as a HTTP proxy client and connects 
to a malicious server. Local privilege escalation can be achieved when socat listens 
on a UNIX domain socket. Potential execution of arbitrary code with the privileges of 
the socat process is possible with both local and remote exploitations.


Workaround
==========

Disable logging to syslog by not using the '-ly' option when starting socat.

Resolution
==========

All socat users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-misc/socat-1.4.0.3"

References
==========

  [ 1 ] socat Security Advisory
        http://www.dest-unreach.org/socat/advisory/socat-adv-1.html

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200410-26.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and 
security of our users machines is of utmost importance to us. Any security concerns 
should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug 
at http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 870 487 0748 Ext 4511
Fax: +44 (0) 870 487 0749

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 870 487 0748 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Gentoo for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQX99vopao72zK539AQHIXAP7Bg+qYIdtzEVGuOeFUIKrhMqpOraF+ekU
fw9f9++aylFlyo3EaDAPs2BV6rwlRGEwVwehPLtVBngOaIODtRfSyrXDSiONbANd
z2eOQI3Mg5BLza9QJUFDBEZjKc9B8sTyde53Con7wCu+qtDDtZY+/IW1DETNXeIu
zK2oQ0tHKjE=
=5yib
-----END PGP SIGNATURE-----