[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 825/06 - Two Gentoo Linux Security Advisories:



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

______________________________________________________________________________

 UNIRAS (UK Government CERT) Briefing - 825/06 dated 15.12.06 time 14:45
 UNIRAS is part of NISCC (the UK National Infrastructure Security
 Co-ordination Centre)
______________________________________________________________________________

 UNIRAS material is available from the NISCC website at www.niscc.gov.uk
______________________________________________________________________________

Title
=====

Two Gentoo Linux Security Advisories:

1. GLSA 200612-15 - McAfee VirusScan: Insecure DT_RPATH

2. GLSA 200612-17 - GNU Radius: Format string vulnerability

Detail
======

1. Jakub Moc of Gentoo Linux discovered that McAfee VirusScan was distributed 
with an insecure DT_RPATH which included the current working directory, rather 
than $ORIGIN which was probably intended.

2. A format string vulnerability was found in the sqllog function from the SQL 
accounting code for radiusd. That function is only used if one or more of the 
"postgresql", "mysql" or "odbc" USE flags are enabled, which is not the default, 
except for the "server" 2006.1 and 2007.0 profiles which enable the "mysql" USE flag.



1.



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200612-15
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: McAfee VirusScan: Insecure DT_RPATH
      Date: December 14, 2006
      Bugs: #156989
        ID: 200612-15

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

McAfee VirusScan for Linux is distributed with an insecure DT_RPATH, potentially allowing a remote attacker to execute arbitrary
code.

Background
==========

McAfee VirusScan for Linux is a commercial antivirus solution for Linux.

Affected packages
=================

    -------------------------------------------------------------------
     Package             /  Vulnerable  /                   Unaffected
    -------------------------------------------------------------------
  1  app-antivirus/vlnx      <= 4510e                      Vulnerable!
    -------------------------------------------------------------------
     NOTE: Certain packages are still vulnerable. Users should migrate
           to another package if one is available or wait for the
           existing packages to be marked stable by their
           architecture maintainers.

Description
===========

Jakub Moc of Gentoo Linux discovered that McAfee VirusScan was distributed with an insecure DT_RPATH which included the current
working directory, rather than $ORIGIN which was probably intended.

Impact
======

An attacker could entice a VirusScan user to scan an arbitrary file and execute arbitrary code with the privileges of the VirusScan
user by tricking the dynamic loader into loading an untrusted ELF DSO. An automated system, such as a mail scanner, may be subverted
to execute arbitrary code with the privileges of the process invoking VirusScan.

Workaround
==========

Do not scan files or execute VirusScan from an untrusted working directory.

Resolution
==========

As VirusScan verifies that it has not been modified before executing, it is not possible to correct the DT_RPATH. Furthermore, this
would violate the license that VirusScan is distributed under. For this reason, the package has been masked in Portage pending the
resolution of this issue.

    # emerge --ask --verbose --unmerge "app-antivirus/vlnx"

References
==========

  [ 1 ] CVE-2006-6474
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6474

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200612-15.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5



2.


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200612-17
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: High
     Title: GNU Radius: Format string vulnerability
      Date: December 14, 2006
      Bugs: #156376
        ID: 200612-17

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

A format string vulnerabilty has been found in GNU Radius, which could lead to the remote execution of arbitrary code.

Background
==========

GNU Radius is a GNU version of Radius, a server for remote user authentication and accounting.

Affected packages
=================

    -------------------------------------------------------------------
     Package               /  Vulnerable  /                 Unaffected
    -------------------------------------------------------------------
  1  net-dialup/gnuradius        < 1.4                          >= 1.4

Description
===========

A format string vulnerability was found in the sqllog function from the SQL accounting code for radiusd. That function is only used
if one or more of the "postgresql", "mysql" or "odbc" USE flags are enabled, which is not the default, except for the "server"
2006.1 and 2007.0 profiles which enable the "mysql" USE flag.

Impact
======

An unauthenticated remote attacker could execute arbitrary code with the privileges of the user running radiusd, which may be the
root user.
It is important to note that there is no default GNU Radius user for Gentoo systems because no init script is provided with the
package.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All GNU Radius users should upgrade to the latest version:

    # emerge --sync
    # emerge --ask --oneshot --verbose ">=net-dialup/gnuradius-1.4"

References
==========

  [ 1 ] CVE-2006-4181
        http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4181

Availability
============

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200612-17.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to security@xxxxxxxxxx or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2006 Gentoo Foundation, Inc; referenced text belongs to its owner(s).

The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.5


______________________________________________________________________________

NISCC values your feedback.

1. Which of the following most reflects the value of the briefing to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__ 

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our briefings?


Thank you for your contribution.
______________________________________________________________________________

For additional information or assistance, please contact our help desk
by telephone.  You may send Not Protectively Marked information via
e-mail to uniras@xxxxxxxxxxxxx

Office hours:

Mon - Fri: 08:30 - 17:00 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749

On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts

______________________________________________________________________________

UNIRAS wishes to acknowledge the contributions of Gentoo for the
information contained in this briefing.
______________________________________________________________________________

This notice contains information released by the original author.
Some of the information may have changed since it was released. If the
vulnerability affects you, it may be prudent to retrieve the advisory
from the site of the original source to ensure that you receive the most
current information concerning that problem.

Reference to any specific commercial product, process, or service by
trade name, trademark manufacturer, or otherwise, does not constitute or
imply its endorsement, recommendation, or favouring by UNIRAS or NISCC.
The views and opinions of authors expressed within this notice shall not
be used for advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors
or omissions contained within this briefing notice. In particular, they
shall not be liable for any loss or damage whatsoever, arising from or
in connection with the usage of information contained within this
notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams
(FIRST) and has contacts with other international Incident Response
Teams (IRTs) in order to foster cooperation and coordination in incident
prevention, to prompt rapid reaction to incidents, and to promote
information sharing amongst its members and the community at large.
______________________________________________________________________________

<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBRYK1Lml7oeQsXfKvEQKJSwCgk/YMci+2XdkBv+IoiYquOkrvSnQAoJDu
PpB0RF5eLoxS7FrqaN4tE8Dv
=TNAM
-----END PGP SIGNATURE-----


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________