[Full-disclosure] [SECURITY] [DSA 1912-2] New advi packages fix arbitrary code execution

2009-10-24 Thread Steffen Joeris 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1912-2  secur...@debian.org
http://www.debian.org/security/  Steffen Joeris
October 23, 2009   http://www.debian.org/security/faq
- 

Package: advi
Vulnerability  : integer overflow
Problem type   : local (remote)
Debian-specific: no
CVE Ids: CVE-2009-3296 CVE-2009-2660

Due to the fact that advi, an active DVI previewer and presenter,
statically links against camlimages it was neccessary to rebuilt it in
order to incorporate the latest security fixes for camlimages, which
could lead to integer overflows via specially crafted TIFF files
(CVE-2009-3296) or GIFF and JPEG images (CVE-2009-2660).


For the stable distribution (lenny), these problems have been fixed in
version 1.6.0-13+lenny2.

Due to a bug in the archive system, the fix for the oldstable
distribution (etch) cannot be released at the same time. These problems
will be fixed in version 1.6.0-12+etch2, once it is available.

For the testing distribution (squeeze) and the unstable distribution
(sid), these problems have been fixed in version 1.6.0-14+b1.


We recommend that you upgrade your advi package.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 5.0 alias lenny
- 

Debian (stable)
- ---

Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, 
mips, mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.diff.gz
Size/MD5 checksum:51609 21aed220ab54cc689a7ef13e51f801d9
  http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2.dsc
Size/MD5 checksum: 1655 b3702857e76699041f5313515c4ae59c
  http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0.orig.tar.gz
Size/MD5 checksum: 11436152 da0e71cbc99a8def27873d4f3c756fa6

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/a/advi/advi-examples_1.6.0-13+lenny2_all.deb
Size/MD5 checksum:  3896628 78cbd5f431332e48bd6f6838c71c4bd6

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_amd64.deb
Size/MD5 checksum:   738554 ff1868ddb0510d02db84f2c2a3fcdd36

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_arm.deb
Size/MD5 checksum:  1315080 5abb37dd7194607f07b956826830e052

armel architecture (ARM EABI)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_armel.deb
Size/MD5 checksum:  1317700 76f406d64477573fee49c1403914f525

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_hppa.deb
Size/MD5 checksum:  1328012 8d239035d7195a3da2d88a0ce1004df8

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_i386.deb
Size/MD5 checksum:   873922 0ed738039c6877f8a98e462b7990e0fe

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_ia64.deb
Size/MD5 checksum:  1366332 8113261f68b8ab1fa0a560cda28dddfb

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mips.deb
Size/MD5 checksum:  1319406 9108849fdeed00e2848511b4da97f405

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_mipsel.deb
Size/MD5 checksum:  1317202 87f285d20318111851008f04698f17f0

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_powerpc.deb
Size/MD5 checksum:   862788 260fba666be7c705daf8a4387692aff7

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/a/advi/advi_1.6.0-13+lenny2_sparc.deb
Size/MD5 checksum:   851648 b60cb2ad932c4d094b595a57a632afb8


  These files will probably be moved into the stable distribution on
  its next update.

- 
-
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security 
dists/stable/updates/main
Mailing list: debian-security-annou...@lists.debian.org
Package info: `apt-cache show pkg' and

[Full-disclosure] [SECURITY] [DSA 1916-1] New kdelibs packages fix SSL certificate verification weakness

2009-10-24 Thread Giuseppe Iuculano 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1916-1  secur...@debian.org
http://www.debian.org/security/  Giuseppe Iuculano 
October 23, 2009   http://www.debian.org/security/faq
- 

Package: kdelibs
Vulnerability  : insufficient input validation
Problem type   : remote
Debian-specific: no
Debian bug : 546212
CVE ID : CVE-2009-2702

Dan Kaminsky and Moxie Marlinspike discovered that kdelibs, core libraries from
the official KDE release, does not properly handle a '\0' character in a domain
name in the Subject Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted
certificate issued by a legitimate Certification Authority.


For the oldstable distribution (etch), this problem has been fixed in
version 4:3.5.5a.dfsg.1-8etch3

Due to a bug in the archive system, the fix for the stable distribution
(lenny), will be released as version 4:3.5.10.dfsg.1-0lenny3 once it is
available.

For the testing distribution (squeeze), and the unstable distribution (sid),
this problem has been fixed in version 4:3.5.10.dfsg.1-2.1


We recommend that you upgrade your kdelibs pakcages.

Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1.orig.tar.gz
Size/MD5 checksum: 18684663 a3f13367dcadef4749ba0173c8bc5f8e
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.diff.gz
Size/MD5 checksum:   601207 616c29ec7f685e9b10c802eb6879d912
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3.dsc
Size/MD5 checksum: 1636 430e1a184def8c61269ebd4236ecf902

Architecture independent packages:

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-data_3.5.5a.dfsg.1-8etch3_all.deb
Size/MD5 checksum:  8607892 a1326c3e10f4a1696b9d73115b417061
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.5a.dfsg.1-8etch3_all.deb
Size/MD5 checksum:34648 f4697ef70a2bc020b1c633c92981e81f
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-doc_3.5.5a.dfsg.1-8etch3_all.deb
Size/MD5 checksum: 40162414 83be81e20b84b786c47a3351a3600c77

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_alpha.deb
Size/MD5 checksum: 11344344 fcf8158679c6b02b265065fba7249b83
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_alpha.deb
Size/MD5 checksum: 47410300 140679244bea5593cd7204757acffaa8
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_alpha.deb
Size/MD5 checksum:  1386002 759f49b6e4f61577f327f491eebbef2b

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_amd64.deb
Size/MD5 checksum: 27020178 9b823ef23ec5a6258bb9964dfd73
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_amd64.deb
Size/MD5 checksum:  1341570 4c1379c6a5a941996bcbb2e28e0337d2
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_amd64.deb
Size/MD5 checksum: 10400122 b69bbf19d34a6baf697f1ea837ffc861

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_arm.deb
Size/MD5 checksum:  9303052 0927e59f8992bb7038484aecd13fdae2
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.5a.dfsg.1-8etch3_arm.deb
Size/MD5 checksum: 46416584 0f497318d46b1964aa4fb6ebb33fdd30
  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.5a.dfsg.1-8etch3_arm.deb
Size/MD5 checksum:  1382294 ce520266aaa74f10d4bd1e0a3920f3b4

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.5a.dfsg.1-8etch3_hppa.deb
Size/MD5 checksum: 11295914 37e40fc7af826345ca0da0e57b65fd37

[Full-disclosure] [SECURITY] [DSA 1917-1] New mimetex packages fix several vulnerabilities

2009-10-24 Thread Giuseppe Iuculano 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- 
Debian Security Advisory DSA-1917-1  secur...@debian.org
http://www.debian.org/security/  Giuseppe Iuculano
October 24, 2009   http://www.debian.org/security/faq
- 

Package: mimetex
Vulnerability  : several vulnerabilities
Problem type   : remote (local)
Debian-specific: no
Debian bug : 537254
CVE Ids: CVE-2009-1382 CVE-2009-2459


Several vulnerabilities have been discovered in mimetex, a lightweight
alternative to MathML. The Common Vulnerabilities and Exposures project
identifies the following problems:

CVE-2009-1382

Chris Evans and Damien Miller, discovered multiple stack-based buffer overflow.
An attacker could execute arbitrary code via a TeX file with long picture,
circle, input tags.

CVE-2009-2459

Chris Evans discovered that mimeTeX contained certain directives that may be
unsuitable for handling untrusted user input. A remote attacker can obtain
sensitive information.


For the oldstable distribution (etch), these problems have been fixed in
version 1.50-1+etch1.

Due to a bug in the archive system, the fix for the stable distribution
(lenny) will be released as version 1.50-1+lenny1 once it is available.

For the testing distribution (squeeze), and the unstable distribution (sid),
these problems have been fixed in version 1.50-1.1.


We recommend that you upgrade your mimetex packages.


Upgrade instructions
- 

wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
will update the internal database
apt-get upgrade
will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 4.0 alias etch
- ---

Debian (oldstable)
- --

Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, 
mipsel, powerpc, s390 and sparc.

Source archives:

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1.dsc
Size/MD5 checksum:  584 4c4ac225a147438ea1bb7be1b0f65019
  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1.diff.gz
Size/MD5 checksum: 5318 5d3a2a06fecf83d573c8cbb9c778ddf0
  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50.orig.tar.gz
Size/MD5 checksum:   401817 cdda954fc3a436daa8345ecbfdb084c3

alpha architecture (DEC Alpha)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_alpha.deb
Size/MD5 checksum:   154406 b525a79c4c6e92ebe5d6853261edb7d9

amd64 architecture (AMD x86_64 (AMD64))

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_amd64.deb
Size/MD5 checksum:   151848 b01a4cf79985dbc98aa468b27355c005

arm architecture (ARM)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_arm.deb
Size/MD5 checksum:   150546 8041ce35d9d2457999e217bd9ecff233

hppa architecture (HP PA RISC)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_hppa.deb
Size/MD5 checksum:   148156 0f7d099d12f46f9c74a9d4863cacb676

i386 architecture (Intel ia32)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_i386.deb
Size/MD5 checksum:   143668 55db42c430e79ebd525679d72c8556f8

ia64 architecture (Intel ia64)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_ia64.deb
Size/MD5 checksum:   188604 5f4c8c896998e82797bba6a0997d550c

mips architecture (MIPS (Big Endian))

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_mips.deb
Size/MD5 checksum:   155176 c080d72fef8acd63fa27b0a5cf7688bd

mipsel architecture (MIPS (Little Endian))

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_mipsel.deb
Size/MD5 checksum:   156068 96a3663cab62464f23ea747f679fbb57

powerpc architecture (PowerPC)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_powerpc.deb
Size/MD5 checksum:   145470 84ec68d2dcf0378f634f7cdc48c272d2

s390 architecture (IBM S/390)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_s390.deb
Size/MD5 checksum:   157512 493034d85d335c5c48358aac4fa5365f

sparc architecture (Sun SPARC/UltraSPARC)

  
http://security.debian.org/pool/updates/main/m/mimetex/mimetex_1.50-1+etch1_sparc.deb
Size/MD5 checksum:   146950 657d93204c670f44c337d85b5fa9a67b


  These files will probably be moved into the stable distribution on
  its next update.

- 
-

[Full-disclosure] [US-1984-1] JTTF (Joint Terrorism Task Force) and Fusion Center. Common Sense.

2009-10-24 Thread GOBBLES 
Ladies and gentlemen,

The PATRIOT act is a bill that has been rushed through congress. 
Our impulse reactions to a single attack caused up to jump and hug 
the leg of an explosively intrusive government who feels they have 
the right to judge, sift through and develop conspiracy theories on 
people. Because of the lack of oversight, it's difficult to uncover 
the abuses done. And who do you hold accountable when the 
government harasses you?

How on Earth can a local cop possibly understand the rigid 
complexities of being a domestic intelligence officer? How can we 
hold them accountable when they're mistakes, inefficiencies and 
malice is secret?

66 JTTF's in the US proactively harassing and profiling innocent 
people. We know full well  this is an unnecessary force that 
undermines democracy and free though. This isn't about thwarting 
terrorism to them, because that's rarely the affect, it's about 
concentration of power and diluting the constituion and having 
hitlists on innocent people.

I have a colleague of mine who works in the California Highway 
Patrol intelligence division and he says when they find child porn, 
they keep it in there as evidence. And since the police are 
fraternal and protect each other (code of silence) they make no 
effort to log each other's views or accessing documents. It quite 
literally is cryptoanarchy mixed with pedophilia in the government.

They use fusion centers to store child pornography and rape videos 
without protecting the children or catching real criminals. Since 
their is no oversight, pedophiles with security clearances damage 
innocent children unfettered under the pretext of national 
security. Pretty amazing.

It's all too familiar. Department of Justice political playbook for 
increasing their political power share. On CNN they tout it as 
heroism in JTTF, but this is a veneer of settings up schizos and 
radicals. Oh no, we're under attack. Hello? We have criminals! Very 
bad people! But let's not get ahead of ourselves.

To the FBI/JTTF: Stop using fusion centers to horde child 
pornography. Please.

They use fusion centers to store child pornography and rape videos 
without protecting the children or catching real criminals. Since 
their is no oversight, pedophiles with security clearances damage 
innocent children unfettered under the pretext of national 
security. Pretty amazing.

A little bit of common sense could go a long way.

- Andrew Wallace
  Senior Security Researcher

  Intelligence. Globally (TM)
  Open Source INT: www.twitter.com/n3td3v
  Hypertext Home Page: http://sites.google.com/site/n3td3v/ -

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Jetty 6.x and 7.x Multiple Vulnerabilities

2009-10-24 Thread ascii 
Jetty 6.x and 7.x Multiple Vulnerabilities

 Name  Multiple Vulnerabilities in Jetty
 Systems Affected  Jetty 7.0.0 and earlier versions
 Severity  Medium
 Impact (CVSSv2)   Medium 5/10, vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
 Vendorhttp://www.mortbay.org/jetty/
 Advisory  http://www.ush.it/team/ush/hack-jetty6x7x/jetty-adv.txt
 Authors   Francesco ascii Ongaro (ascii AT ush DOT it)
   Giovanni evilaliv3 Pellerano (evilaliv3 AT ush DOT it)
   Antonio s4tan Parata (s4tan AT ush DOT it)
 Date  20091024

I. BACKGROUND

Jetty is an open-source project providing a HTTP server, HTTP client and
javax.servlet container. These 100% java components are full-featured,
standards based, small foot print, embeddable, asynchronous and
enterprise scalable. Jetty is dual licensed under the Apache Licence
2.0 and/or the Eclipse Public License 1.0. Jetty is free for commercial
use and distribution under the terms of either of those licenses.

Jetty is used in a wide variety of projects and products: embedded in
phones, in tools like the the eclipse IDE, in frameworks like GWT, in
application servers like Apache Geronimo and in huge clusters like
Yahoo's Hadoop cluster.

The latest version at the time of writing can be obtained from:
http://dist.codehaus.org/jetty/jetty-7.0.0/jetty-hightide-7.0.0.v2009100
5.tar.gz

Running Jetty 7.0.x is very easy, from the documentation page at:
http://docs.codehaus.org/display/JETTY/Running+Jetty-7.0.x

- From an unpacked release directory of jetty-7,
  the server can be started with the command: java -jar start.jar

- This will start a HTTP server on port 8080 and
  deploy the test web application at: http://localhost:8080/test

II. DESCRIPTION

Multiple Vulnerabilities exist in Jetty software.

III. ANALYSIS

Summary:

 A) Dump Servlet information leak
(Affected versions: Any)

 B) FORM Authentication demo information leak
(Affected versions: Any)

 C) JSP Dump reflected XSS
(Affected versions: Any)

 D) Session Dump Servlet stored XSS
(Affected versions: Any)

 E) Cookie Dump Servlet escape sequence injection
(Affected versions: Any)

 F) Http Content-Length header escape sequence injection
(Affected versions: Any)

 G) Cookie Dump Servlet stored XSS
(Affected versions: =6.1.20)

 H) WebApp JSP Snoop page XSS
(Affected versions: =6.1.21)


A) Dump Servlet information leak
   (Affected versions: Any)

By requesting the demo Dump Servlet at an URL like /test/dump/
it's possible to obtain a number of details about the remote Jetty
instance.

Variables: getMethod, getContentLength, getContentType, getRequestURI,
getRequestURL, getContextPath, getServletPath, getPathInfo,
getPathTranslated, getQueryString, getProtocol, getScheme,
getServerName, getServerPort, getLocalName, getLocalAddr,
getLocalPort, getRemoteUser, getRemoteAddr, getRemoteHost,
getRemotePort, getRequestedSessionId, isSecure(), isUserInRole(admin),
getLocale, getLocales, getLocales

Plus a dump of all the HTTP request headers, the request parameters
and much more.

Five forms can be used to perform a series of functionality tests
including:

  - Form to generate GET content
  - Form to generate POST content
  - Form to generate UPLOAD content
  - Form to set Cookie
  - Form to get Resource

While this is a feature we think that demo utilities should be
disabled by default. Many live deployments of Jetty exhibit demo
pages that leak important information and expose several vulnerabilites.

B) FORM Authentication demo information leak
   (Affected versions: Any)

An example application often erroneously deployed is the FORM
Authentication demo (logon.html and logonError.html pages) that uses
the standard j_security_check component.

By requesting the /test/logon.html page it's possible to detect the
presence of a Jetty installation.

As noted before we think that demo utilities should be disabled by
default.

C) JSP Dump reflected XSS
   (Affected versions: Any)

It has been found that the demo JSP Dump feature is vulnerable to
reflected Cross Site Scripting attacks. This can be replicated by
issuing a GET request to the /test/jsp/dump.jsp page:
/test/jsp/dump.jsp?%3Cscript%3Ealert(%22hello%20world%22)%3C/script%3E

Any GET key and value that reach the remote is reflected unencoded.

The problem resides in the jsp/dump.jsp file from the
webapps/test.war archive.

--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--8--

htmlhead
%@ page import=java.util.Enumeration %
/headbody
h1JSP Dump/h1

table border=1
trthRequest URI:/thtd%= request.getRequestURI() %/td/tr
trthServletPath:/thtd%= request.getServletPath() %/td/tr
trthPathInfo:/thtd%= request.getPathInfo() %/td/tr

%
   Enumeration e =request.getParameterNames();
   while(e.hasMoreElements())
   {
   String name = (String)e.nextElement();
%
tr
  thgetParameter(%= name %)/th
  td%= request.getParameter(name) %/td/tr
% } %

/table
/body/html

--8--8--8--8