Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found -6 articles for you...
100
security advisoryupdateSuSESuSE: Local User Compromise Advisory for Esound Critical DoS Threat
A vulnerability exists in the esound package in SuSE versions > = 6.3.. ______________________________________________________________________________ SuSE Security Announcement Package: esound Date: Wednesday, October 11th, 2000 19:00 MEST Affected SuSE versions: 6.3, 6.4, 7.0 Vulnerability Type: local user compromise Severity (1-10): 3 SuSE default package: yes Other affected systems: Linux systems using esound with unix domain socket support Content of this advisory: 1) security vulnerability resolved: esound problem description, discussion, solution and upgrade information 2) pending vulnerabilities, solutions, workarounds 3) standard appendix (further information) ______________________________________________________________________________ 1) problem description, brief discussion, solution, upgrade information esound, a daemon program for the Gnome desktop, is used for sound replay by various programs such as windowmanagers and other applications. The esound daemon creates a directory /tmp/.esd to host a unix domain socket. Upon startup, the daemon changes the modes of the socket, but a race condition allows an attacker to place a symlink into the directory to point to an arbitrary file belonging to the victim. By consequence, an attacker may be able to change the permissions of any file belonging to the victim. If the victim's userid is root, the attacker may be able to change the modes of any file in the system. SuSE distributions before SuSE-6.3 were not vulnerable to this attack because unix domain sockets were not supported by the esound daemon as shipped with these distributions. The only efficient solution for the problem is to store the unix domain socket in a directory where only the user has write access to. The user's homedirectory is such a location. Update packages that fix the race conditions by placing the sockets into the user's home directory are available for download. It is recommended to apply the fix on systems where multiple users can access the local filesystem. Note: Not all filesystems support unix domain sockets. The fix might not work if the user's home directory is on such a filesystem (such as AFS, eg.). In such rare cases, administrators are usually aware of such limitations. SuSE default installations do not have this limitation. Download the update package from locations desribed below and install the package with the command `rpm -Fhv file.rpm'. The md5sum for each file is in the line below. You can verify the integrity of the rpm files using the command `rpm --checksig --nogpg file.rpm', independently from the md5 signatures below. i386 Intel Platform: SuSE-7.0 9d8addaa5ba29554a727eb34ae5189f4 source rpm: a9724b99a96430b1b7c1f741a8e8d528 SuSE-6.4 6f32f0867d1597a5129d0516438d9cca source rpm: 94ca6842981f7a501300d9edfc5cbf73 SuSE-6.3 16a5804a2f27e62d73df40d206b047ca source rpm: c86689fd5d9f719135e1263dd5a38832 Sparc Platform: SuSE-7.0 112648ef64c351952f832b180fcca23c source rpm: a0bb3e3517ca83c13abd6827a8d2295e AXP Alpha Platform: SuSE-6.4 d2efefb21a6424a81e63788d972db49d source rpm: a69ebae320c6f118f4b9e07f2a9af4d2 SuSE-6.3 19942e308eda0c0d505bb64da734ad8d source rpm: 6f337d6864111d27fa93ef2bc3cb7b5a PPC Power PC Platform: SuSE-7.0 be6daabfee0e7e629b848814be81d9d0 source rpm: c77475b2c8fff104f8662bb9179efb64 SuSE-6.4 f0e1aa54c3fdf7c6c02b34bedc51ee0f source rpm: 9acd25b5521201386bb73bc707382646 ______________________________________________________________________________ 2) Pending vulnerabilities in SuSE Distributions and Workarounds: - gnorpm A race condition has been found in the gnorpm program, a GUI for the rpm system. The issue will be addressed in a following announcement. - ncurses The ncurses library contains buffer overflows that are exploitable when user-supplied terminfo databases are processed. This imposes a security risk on programs/binaries that are linked against libncurses and run with special privileges. Both workaround and clean solution is to remove the suid bit from all executable files with setuid bit set. The issue will be addressed in a following security announcement. - apache mod_rewrite A bug has been discovered in the apache package that allows attackers to read arbitrary files on a system that runs apache. The responsible apache module named "mod_rewrite" is not used by default on SuSE installations of the apache package. The issue will be addressed in a following security announcement. - cfengine A format string parsing bug causes the cfengine package to be vulnerable to a remote root attack. Update packages are available, the security announcement is pending. - usermode/userhelper userhelper is a suid helper program designed to let the user who is logged on to the console execute some programs with root privileges. SuSE distributions do not contain the usermode package and therefore are not vulnerable to the security problems recently discovered in the usermode package. - tmpwatch The tmpwatch packages as shipped with SuSE distributions are not vulnerable to the attacks as discussed on security forums because we ship an older version that does not provide the functionality thatcan be exploited. - lprNG The versions of the lprNG package that come with SuSE distributions are not vulnerable to the format string parsing errors as discussed in security forums. - traceroute The traceroute program has been found vulnerable to a bug (`traceroute -g 1 -g 1') in many distributions. Newer SuSE distributions have a different implementation of the traceroute program and are not vulnerable to the bug found by Pekka Savola . The vulnerability could not be verified in older SuSE distributions. ______________________________________________________________________________ 3) standard appendix: SuSE runs two security mailing lists to which any interested party may subscribe:
Oct 11, 2000
•Critical
SuSE
98
security advisoryRed Hat LinuxcriticalDebian GNU/Linux: DSA-2021:1234-1 Important: LibX11 Security Vulnerability
Esound, the Gnome sound server, contains a race condition that a malicioususer could exploit to change permissions of any file owned by the esounduser.. ` --------------------------------------------------------------------- Red Hat, Inc. Security Advisory Synopsis: esound contains a race condition Advisory ID: RHSA-2000:077-03 Issue date: 2000-10-06 Updated on: 2000-10-06 Product: Red Hat Linux Keywords: esound security esd socket Gnome Cross references: N/A --------------------------------------------------------------------- 1. Topic: Esound, the Gnome sound server, contains a race condition that a malicious user could exploit to change permissions of any file owned by the esound user. 2. Relevant releases/architectures: Red Hat Linux 6.0 - i386, alpha, sparc Red Hat Linux 6.1 - i386, alpha, sparc Red Hat Linux 6.2 - i386, alpha, sparc Red Hat Linux 6.2EE - i386, alpha, sparc Red Hat Linux 7.0 - i386 Red Hat Linux 7.0J - i386 3. Problem description: Esound, the sound daemon used for Gnome, creates a world-writable directory, /tmp/.esd. This directory is owned by the user running esound, and is used to store a socket which is used by programs connecting to the sound server. During startup, this socket's permissions are adjusted. An attacker on the system can theoretically create a symbolic link, and cause any file or directory owned by the user running esound to be made world writable. The new packages fixes this race condition. 4. Solution: For each RPM for your particular architecture, run: rpm -Fvh [filename] where filename is the name of the RPM. All active Gnome sessions should also be restarted after the upgrade is applied. 5. Bug IDs fixed ( for more info): N/A 6. RPMs required: Red Hat Linux 6.x: alpha: sparc: i386: sources: Red Hat Linux 7.0: i386: sources: 7. Verification: MD5 sum PackageName -------------------------------------------------------------------------- 4f7a81fe6b7f5a419272659b92d1dfc1 6.2/SRPMS/esound-0.2.20-0.src.rpm 648746086daa7bbc6bef00697e62bf51 6.2/alpha/esound-0.2.20-0.alpha.rpm 8a7dbf7dabbd7d9ca2861c1ecf2b2d5f 6.2/alpha/esound-devel-0.2.20-0.alpha.rpm 962fa1129804f2d8470e1767a352f77f 6.2/i386/esound-0.2.20-0.i386.rpm 784ec77026228d31d823e619c1de78d8 6.2/i386/esound-devel-0.2.20-0.i386.rpm 2127fdd7654b80506952dce08c3f5014 6.2/sparc/esound-0.2.20-0.sparc.rpm 0c191eee05a89dc0d12b3ca4981d2353 6.2/sparc/esound-devel-0.2.20-0.sparc.rpm 24f8e1b106500565e8426ad96150a001 7.0/SRPMS/esound-0.2.20-1.src.rpm a61209acb87ed7f4fa5b1d63d161c85d 7.0/i386/esound-0.2.20-1.i386.rpm 6b326c66d570ee59eda7c2daf0ab4721 7.0/i386/esound-devel-0.2.20-1.i386.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: You can verify each package with the following command: rpm --checksig If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg 8. References: BugTraq ID: 1659 () Copyright(c) 2000 Red Hat, Inc. `. The weakness in Xsound enables unapproved users to alter file accessibility settings. Urgent patches are essential to maintain protection on Fedora systems.. Esound Exploit, Red Hat Linux, Permissions Management. . Severity: Important. LinuxSecurity.com Team
Oct 06, 2000
•Important
Red Hat
98
security advisorydenial of serviceRed HatRed Hat RHSA-1999:058-01 Critical: ORBit And Esound DoS Issues
ORBit and gnome-session each contained a denial-of-service hole. ORBit and esound each contained a security hole. . Red Hat, Inc. Security Advisory Package ORBit, esound, and gnome- core Synopsis new ORBit, esound, and gnome- core packages Advisory ID RHSA-1999:058-01 Issue Date 1999-12-03 ~ Updated on Keywords 1. Topic: ORBit and gnome-session each contained a denial-of-service hole. ORBit and esound each contained a security hole. 2. Problem description: ORBit and esound used a source of random data that was easily guessable, possibly allowing an attacker with local access to guess the authentication keys used to control access to these services. ORBit and gnome-session contained a bug that allowed attackers to remotely crash a program under unusual circumstances. In addition to fixing these problems, TCP Wrappers support has been added to gnome-session. ORBit already makes use of TCP Wrappers. It is recommended that this functionality be used when additional access controls are desired on network access to these services. 3. Bug IDs fixed: (see bugzilla for more information) 4. Relevant releases/architectures: Red Hat Linux 6.1, Intel and SPARC 5. Obsoleted by: None 6. Conflicts with: None 7. RPMs required: Intel: ORBit-0.5.0- 2.i386.rpm ORBit- devel-0.5.0-2.i386.rpm esound- 0.2.17-1.i386.rpm esound-devel-0.2.17-1.i386.rpm gnome- core-1.0.54-2.i386.rpm gnome-core-devel-1.0.54-2.i386.rpm SPARC: ORBit- 0.5.0-2.sparc.rpm ORBit-devel-0.5.0-2.sparc.rpm esound- 0.2.17-1.sparc.rpm esound-devel-0.2.17-1.sparc.rpm gnome-core-1.0.54-2.sparc.rpm gnome-core-devel-1.0.54-2.sparc.rpm Source: ORBit-0.5.0- 2.src.rpm esound- 0.2.17-1.src.rpm gnome- core-1.0.54-2.src.rpm 8. Solution: For each RPM for your particular architecture, run: rpm -Uvh filename where filename is the name of the RPM. 9. Verification: MD5 sum Package Name ------------------------------------------------------------------------- 35cb261853a01711fb47ee6d48149bd4 i386/ORBit-0.5.0-2.i386.rpm 808e9dca462f8ef765b454b25e017614 i386/ORBit-devel-0.5.0-2.i386.rpm 261e7063065c50f5eb4235cb373c85f1 i386/esound-0.2.17-1.i386.rpm fa44e546df9b307cec6557cac0112eff i386/esound-devel-0.2.17-1.i386.rpm d8c3814f4b8c19c38af526271dd1c294 i386/gnome-core-1.0.54-2.i386.rpm a689359b3ff0bbe3ebc908a4ab5aaaad i386/gnome-core-devel-1.0.54-2.i386.rpm 4ce667c72a33146c5280cc7fecba0f4d sparc/ORBit-0.5.0-2.sparc.rpm 473056e09906fe49914c1d79dd30dc98 sparc/ORBit-devel-0.5.0-2.sparc.rpm 8ed14577fb93f8c684a98962c564b772 sparc/esound-0.2.17-1.sparc.rpm 0f8965c2d13bc000a87ed26ab5459ffb sparc/esound-devel-0.2.17-1.sparc.rpm 11a28ec13e110cbaabb403333efe27c1 sparc/gnome-core-1.0.54-2.sparc.rpm 7b86b6bb257376242e88096f1aafc722 sparc/gnome-core-devel-1.0.54-2.sparc.rpm 9fa749891ed4e9505b07cac512e80808 SRPMS/ORBit-0.5.0-2.src.rpm 4d34ef79104c3b754f368900a1f09370 SRPMS/esound-0.2.17-1.src.rpm 48f5b99bc92048e99e159a026b314871 SRPMS/gnome-core-1.0.54-2.src.rpm These packages are GPG signed by Red Hat, Inc. for security. Our key is available at: You can verify each package with the following command: rpm --checksig filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: rpm --checksig --nogpg filename Note that you need RPM > = 3.0 to check GnuPG keys. 10. References: . Tackling vulnerabilities in ORBit, esound, and gnome-core components for users of Red Hat distributions.. ORBit, Denial Of Service, Gnome Core, Red Hat Security. . Severity: Critical. LinuxSecurity.com Team
Dec 07, 1999
•Critical
Red Hat
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!