SuSE: 'xli/xloadimage' buffer overflow

    Date24 Jul 2001
    CategorySuSE
    4202
    Posted ByLinuxSecurity Advisories
    Due to missing boundary checks in the xli code a buffer overflow could be triggered by an external attacker to execute commands on the victim's system. An exploit is publically available.
    
    ______________________________________________________________________________
    
                            SuSE Security Announcement
    
            Package:                xli/xloadimage
            Announcement-ID:        SuSE-SA:2001:024
            Date:                   Tuesday, July 24th 2001 17:30 MEST
            Affected SuSE versions: (6.0, 6.1, 6.2,) 6.3, 6.4, 7.0, 7.1, 7.2
            Vulnerability Type:     remote system compromise
            Severity (1-10):        3
            SuSE default package:   no
            Other affected systems: yes
    
            Content of this advisory:
            1) security vulnerability resolved: xli
               problem description, discussion, solution and upgrade information
            2) pending vulnerabilities, solutions, workarounds
            3) standard appendix (further information)
    
    ______________________________________________________________________________
    
    1)  problem description, brief discussion, solution, upgrade information
    
      xli, aka xloadimage, a image viewer for X11 is used by Netscape's plugger
      to display TIFF-, PNG- and Sun-Raster-images. The plugger configuration
      file is /etc/pluggerrc.
      Due to missing boundary checks in the xli code a buffer overflow could be
      triggered by an external attacker to execute commands on the victim's
      system. An exploit is publically available.
    
      SuSE Linux is not vulnerable by default because of the different names.
      On SuSE Linux the command is called xli, while the plugger uses xloadimage.
        /etc/pluggerrc:
          exits: xloadimage -quiet -windowid $window $file
    
      If you have xloadimage installed on your system on your own, you should
      comment out the lines in /etc/pluggerrc, that contain xloadimage, for
      a temporary fix.
    
      Otherwise update the packages for your system.
      Nevertheless, it's recommended to leave the xloadimage entry in
      /etc/pluggerrc commented out, because of the potential risk the
      xloadimage code causes.
    
    
      i386 Intel Platform:
    
      SuSE-7.2
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/gra2/xli-1.16-351.i386.rpm
          d35b3ee5b02bfb1bf4f9d8ccefdfa889
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/xli-1.16-351.src.rpm
          56b928a28cb32cc0103bfa89e74eee05
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/gra2/xli-1.16-351.i386.rpm
          5216c3ebdbd327506790107a927a0c2e
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.1/zq1/xli-1.16-351.src.rpm
          c3ee309a35fdcf0652626f9712771523
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/gra2/xli-1.16-351.i386.rpm
          dffbd8a0c19d8df8141d4434107fb042
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/7.0/zq1/xli-1.16-351.src.rpm
          410666ff06b1d050fd9cd6a16b190143
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/gra2/xli-1.16-351.i386.rpm
          8132e176e41d403978049345941679a0
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.4/zq1/xli-1.16-351.src.rpm
          d40dc2e9b46b7a9818cfd73dac269758
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/gra2/xli-1.16-351.i386.rpm
          b7cb7b57c78d8d5b765941372d7d7559
        source rpm:
         ftp://ftp.suse.com/pub/suse/i386/update/6.3/zq1/xli-1.16-351.src.rpm
          f8c47e0de4bfd59b40b0271aca133e36
    
    
        Sparc Platform:
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/sparc/update/7.1/gra2/xli-1.16-301.sparc.rpm
          7df3b152cf2e5e89582007fbeb59ec4c
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.1/zq1/xli-1.16-301.src.rpm
          c110d3e3bfbc73f2a37cb91d468acd60
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/gra2/xli-1.16-300.sparc.rpm
          62d0e49f02a6c6491f1341a6f92aa3b0
        source rpm:
         ftp://ftp.suse.com/pub/suse/sparc/update/7.0/zq1/xli-1.16-300.src.rpm
          00201403e740d408f20e8ae77a63f77f
    
    
        AXP Alpha Platform:
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/axp/update/7.1/gra2/xli-1.16-301.alpha.rpm
          fdc3bb5cd102fa3007c3fe5fb0ae999b
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/7.1/zq1/xli-1.16-301.src.rpm
          72e51e76005f216ea476ff0e2a9890ce
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/gra2/xli-1.16-301.alpha.rpm
          ba9efef4991ebc8fda02f00395468468
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/7.0/zq1/xli-1.16-301.src.rpm
          e4d369fd4080965f9a81ba5e97934245
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/gra2/xli-1.16-301.alpha.rpm
          2d37a2be14760c8f3f251c83e141502f
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.4/zq1/xli-1.16-301.src.rpm
          8abca3e1af92ccfea799c3b1da6f333e
    
        SuSE-6.3
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/gra2/xli-1.16-301.alpha.rpm
          76f134e228a39a440c517a3dc673b250
        source rpm:
         ftp://ftp.suse.com/pub/suse/axp/update/6.3/zq1/xli-1.16-301.src.rpm
          88dbb49098cc0120e72b4ac4b357c1d8
    
    
        PPC Power PC Platform:
    
        SuSE-7.1
         ftp://ftp.suse.com/pub/suse/ppc/update/7.1/gra2/xli-1.16-304.ppc.rpm
          52df89afc2aef3752bc968b7e179e85b
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.1/zq1/xli-1.16-304.src.rpm
          00d53cae7c9d856069f720abb746c173
    
        SuSE-7.0
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/gra2/xli-1.16-304.ppc.rpm
    
          065b0453669abfad9d7afd51f9712c22
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/7.0/zq1/xli-1.16-304.src.rpm
          d536054cff521e6f62cc01ef16f910ce
    
        SuSE-6.4
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/gra2/xli-1.16-304.ppc.rpm
          efbd1b48104f53cef252d3e40918303c
        source rpm:
         ftp://ftp.suse.com/pub/suse/ppc/update/6.4/zq1/xli-1.16-304.src.rpm
          310f59a98f63b78d8d3f528aa85546c2
    
    
    ______________________________________________________________________________
    
    2)  Pending vulnerabilities in SuSE Distributions and Workarounds:
    
      - dqs
        This email address is being protected from spambots. You need JavaScript enabled to view it. has found an exploitable buffer overflow bug in
        the dsh program from the dqs package on SuSE Linux distributions.
        To workaround the problem, do "chmod -s /usr/bin/dsh" and change the
        files /etc/permissions* to reflect the change. If you do not need the
        dqs package, then deinstall it (rpm -e dqs).
        Packages for most of the supported SuSE Linux distributions are
        available at the usual location  ftp://ftp.suse.com/pub/suse//
        for download and installation/update. Do not forget to change the files
        /etc/permissions* to remove the suid-bit from the dsh program. Please
        note that we will not issue a dedicated security announcement for this
        specific bug.
    
    
      - pcp
        Paul Starzetz discovered a security weakness in the setuid root program
        /usr/share/pcp/bin/pmpost. The common library in pcp trusts the
        environment that has been supplied by the user, regardless of privileged
        execution or not. By consequence, a user can specify the configuration
        file and therefore write to files owned by root. The problem is not based
        on insecurely following symlinks as stated by Paul Starzetz.
        The pcp package is not installed by default in SuSE Linux distributions.
        We have provided update packages for the SuSE Linux distributions version
        7.1 and 7.2 that remove the setuid bit from the pmpost binary. Versions
        before SuSE-7.1 were not affected because the setuid bit was not set.
        We thank Keith Owens and Mark Goodwin from Silicon Graphics for responding
        quickly and for publishing a new version of the pcp package which will
        be included in future releases of the SuSE Linux distribution. For more
        information see the /usr/share/doc/packages/pcp directory of your SuSE
        Linux installation after installing the update package, or go to
        obtained from  http://oss.sgi.com/projects/pcp/download .
        Please note that there will not be a dedicated security announcement
        for this specific bug.
    
    
      - fetchmail (fetchml)
        New fetchmail packages are available on the ftp server. The packages
        cure a buffer overflow that can be exploited by sending a victim a
        specially designed email, waiting for the victim's fetchmail program
        to pick up the email. We are preparing a security announcement for this
        problem.
    
    
      - openssh
        update packages for the openssh package after (and including) SuSE-6.4
        are available on our ftp servers ftp.suse.de (for < 7.1) or ftp.suse.com (for >= 7.1). We are currently checking for a non-security
        related irregularity in sshd's behaviour under faulty setup conditions.
    
    
      - exim
        SuSE Linux distributions do not contain the exim Mail Transport Agent
        (See  http://www.exim.org/ for details) and are therefore not susceptible
        to the recently found security-related bugs.
    
    
      - webmin
        SuSE Linux distributions do not contain the webmin administration
        web frontend (See  http://www.webmin.org/ for details) and are therefore
        not vulnerable to the recently found security-related problems in the
        software.
    
    
    ______________________________________________________________________________
    
    3)  standard appendix: authenticity verification, additional information
    
      - Package authenticity verification:
    
        SuSE update packages are available on many mirror ftp servers all over
        the world. While this service is being considered valuable and important
        to the free and open source software community, many users wish to be
        sure about the origin of the package and its content before installing
        the package. There are two verification methods that can be used
        independently from each other to prove the authenticity of a downloaded
        file or rpm package:
        1) md5sums as provided in the (cryptographically signed) announcement.
        2) using the internal gpg signatures of the rpm package.
    
        1) execute the command
            md5sum 
           after you downloaded the file from a SuSE ftp server or its mirrors.
           Then, compare the resulting md5sum with the one that is listed in the
           announcement. Since the announcement containing the checksums is
           cryptographically signed (usually using the key This email address is being protected from spambots. You need JavaScript enabled to view it.),
           the checksums show proof of the authenticity of the package.
           We disrecommend to subscribe to security lists which cause the
           email message containing the announcement to be modified so that
           the signature does not match after transport through the mailing
           list software.
           Downsides: You must be able to verify the authenticity of the
           announcement in the first place. If RPM packages are being rebuilt
           and a new version of a package is published on the ftp server, all
           md5 sums for the files are useless.
    
        2) rpm package signatures provide an easy way to verify the authenticity
           of an rpm package. Use the command
            rpm -v --checksig 
           to verify the signature of the package, where  is the
           filename of the rpm package that you have downloaded. Of course,
           package authenticity verification can only target an uninstalled rpm
           package file.
           Prerequisites:
            a) gpg is installed
            b) The package is signed using a certain key. The public part of this
               key must be installed by the gpg program in the directory
               ~/.gnupg/ under the user's home directory who performs the
               signature verification (usually root). You can import the key
               that is used by SuSE in rpm packages for SuSE Linux by saving
               this announcement to a file ("announcement.txt") and
               running the command (do "su -" to be root):
                gpg --batch; gpg < announcement.txt | gpg --import
               SuSE Linux distributions version 7.1 and thereafter install the
               key "This email address is being protected from spambots. You need JavaScript enabled to view it." upon installation or upgrade, provided that
               the package gpg is installed. The file containing the public key
               is placed at the toplevel directory of the first CD (pubring.gpg)
               and at  ftp://ftp.suse.com/pub/suse/pubring.gpg-build.suse.de .
    
    
      - SuSE runs two security mailing lists to which any interested party may
        subscribe:
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   general/linux/SuSE security discussion.
                All SuSE security announcements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        This email address is being protected from spambots. You need JavaScript enabled to view it.
            -   SuSE's announce-only mailing list.
                Only SuSE's security annoucements are sent to this list.
                To subscribe, send an email to
                    <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
    
        For general information or the frequently asked questions (faq)
        send mail to:
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> or
            <This email address is being protected from spambots. You need JavaScript enabled to view it.> respectively.
    
        ===================================================
        SuSE's security contact is <This email address is being protected from spambots. You need JavaScript enabled to view it.>.
        The <This email address is being protected from spambots. You need JavaScript enabled to view it.> public key is listed below.
        ===================================================
    ______________________________________________________________________________
    
        The information in this advisory may be distributed or reproduced,
        provided that the advisory is not modified in any way. In particular,
        it is desired that the cleartext signature shows proof of the
        authenticity of the text.
        SuSE GmbH makes no warranties of any kind whatsoever with respect
        to the information contained in this security advisory.
    
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"25","type":"x","order":"1","pct":54.35,"resources":[]},{"id":"88","title":"Should be more technical","votes":"5","type":"x","order":"2","pct":10.87,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"16","type":"x","order":"3","pct":34.78,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.