SuSE Essential and Critical Security Patch Updates - Page 788
Find the information you need for your favorite open source distribution .
Security hole in ProFTPD
Several buffer overflows have been found in proftpd which have been verified to be exploitable from an remote attacker. The fixing and finding of new holes is going on for over 2 weeks now, and there is no end in sight. Even with all known fixes, proftpd is still vulnerable to remote exploitation.
Security hole in lynx
When lynx calls external programs for protocols (e.g. telnet), the location is passed unchecked. This can be used to activate commandline parameters. For example, this reference [A HREF="telnet://-n.rhosts"]click me[/A] would activate the tracefile options on the telnet client, with the result, that a .rhosts in the current directory would created or overwritten.
Update for Pine (fixed IMAP support)
On June the 28th SuSE released a new pine package, which fixes a security bug. Unfortunately the patch brokes IMAP support for pine. Now there is a new package available which works correctly.
Security hole in cron
Three security threats were found in the vixie crond, which is shipped with SuSE Linux. 1) no boundchecking on a local buffer, while copying data from MAILTO 2) passing invalid options to sendmail 3) it doesn't drop root privileges while sending acknowledge mail to a user
Security hole in rsync
The security breach occurs when you try to transfer an empty directory into a non-existent directory. In that case rsync sets the permissions of the working directory to those of the empty directory; this means, that the permissions of your home directory are changed to the file access mode of the empty directory if you do a remote rsync by using ssh/rsh.
Security hole in netcfg
The way in.identd is started by inetd from a standard /etc/inetd.conf on a SuSE Linux distribution may be exploited to mount a Denial-of-Service attack against the system. When inetd starts in.identd with the "wait" flag and the "-w -t120" options, the in.identd will start to listen on the well known port while inetd deactivates its own listener for the time in.identd is alive.
Security hole in termcap
A buffer overflow has been found in libtermcap's tgetent() function. If a setuid root program uses this function, the user could execute arbitrary code. SuSE Linux 6.0, 6.1 and 6.2 are not affected, since the only program using libtermcap is bc. This program is not setuid root.
Security hole in i4l (xmonisdn)
xmonisdn which is part of the i4l package is installed setuid root by default. To control and display the status of the ISDN network connections xmonisdn uses external programs, which are executed by the system() systemcall, without taking care of a safe environment. The problem arises by old libc, that don't overwrite the IFS environment variable.
Security hole in samba
a) A setuid root installed smbmnt could lead to a security breach due to a race condition. b) The NetBIOS name server nmbd is vulnerable to a denial-of-service attack. c) The message service of the SMB-/CIFS-server has got a buffer overflow.
Security hole in Klock
The KDE screensaver klock includes a bug, which allows to bypass the password authentication. While klock waits for kcheckpass to verify the password a timer is triggered and the dialog box is deleted. After kcheckpass completes klock crashs.
Security hole in Man (man_db)
The zsoelim program, which is part of the man package, creates files in /tmp without security checkings.
Execution of commands in Pine 4.x
By sending a malicious formated email pine could be tricked into executing shell scripts or binary programs.
Denial of Service on the 2.2 kernel
The Linux kernel 2.2.x doesn't correctly parse the IP options, which leads to kernel panic.
Security hole in INN
The innd wrapper inndstart could be tricked to execute arbitrary code by editing the environment (INNCONF), by modifing the inn.conf file or by overflowing a buffer.
Security hole in XFree86
XFree86 creates a directory in /tmp with the name .X11-unix for the X sockets and sets the directory to mode 1777. If an attacker creates a symlink with that filename and points it to another directory (e.g. /root), the permissions of the target directory is set to 1777.
The default permissions on /dev/kmem is insecure
The default permissions on /dev/kmem is insecure. A bug in all Linux 2.0.x kernels except 2.0.36 have a vulnerability which makes blind ip-spoofing possible.
Security hole in Netscape Communicator's 4.5
The Netscape Communicator 4.5 comes with "talkback", a quality enhancement tool by Fullcircle (www.fullcircle.com). If the communicator crashs for any reason, the file with the name /tmp/.$UID.talkback is read in, and the pid in this file is killed. After that, the file is truncated/created without checks for {sym|hard}links and the pid of the current talkback process is written into the file.
- 787
- 788
