[Full-Disclosure] [ GLSA 200409-24 ] Foomatic: Arbitrary command execution in foomatic-rip filter
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200409-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Foomatic: Arbitrary command execution in foomatic-rip filter Date: September 20, 2004 Bugs: #64166 ID: 200409-24 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The foomatic-rip filter in foomatic-filters contains a vulnerability which may allow arbitrary command execution on the print server. Background == Foomatic is a system for connecting printer drivers with spooler systems such as CUPS and LPD. The foomatic-filters package contains wrapper scripts which are designed to be used with Foomatic. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-print/foomatic <= 3.0.1 >= 3.0.2 2 net-print/foomatic-filters <= 3.0.1 >= 3.0.2 --- 2 affected packages on all of their supported architectures. --- Description === There is a vulnerability in the foomatic-filters package. This vulnerability is due to insufficient checking of command-line parameters and environment variables in the foomatic-rip filter. Impact == This vulnerability may allow both local and remote attackers to execute arbitrary commands on the print server with the permissions of the spooler (oftentimes the "lp" user). Workaround == There is no known workaround at this time. Resolution == All foomatic users should upgrade to the latest version: # emerge sync # emerge -pv ">=net-print/foomatic-3.0.2" # emerge ">=net-print/foomatic-3.0.2" PLEASE NOTE: You should update foomatic, instead of foomatic-filters. This will help to ensure that all other foomatic components remain functional. References == [ 1 ] Foomatic Announcement http://www.linuxprinting.org/pipermail/foomatic-devel/2004q3/001996.html [ 2 ] Mandrakesoft Security Advisory http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:094 [ 3 ] CAN 2004-0801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0801 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200409-24.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp8wMfG0L3uX.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200408-25 ] MoinMoin: Group ACL bypass
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: MoinMoin: Group ACL bypass Date: August 26, 2004 Bugs: #57913 ID: 200408-25 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis MoinMoin contains a bug allowing anonymous users to bypass ACLs (Access Control Lists) and carry out operations that should be limited to authorized users. Background == MoinMoin is a Python clone of WikiWiki, based on PikiPiki. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-www/moinmoin <= 1.2.2 >= 1.2.3 Description === MoinMoin contains two unspecified bugs, one allowing anonymous users elevated access when not using ACLs, and the other in the ACL handling in the PageEditor. Impact == Restrictions on anonymous users were not properly enforced. This could lead to unauthorized users gaining administrative access to functions such as "revert" and "delete". Sites are vulnerable whether or not they are using ACLs. Workaround == There is no known workaround. Resolution == All users should upgrade to the latest available version of MoinMoin, as follows: # emerge sync # emerge -pv ">=net-ww/moinmoin-1.2.3" # emerge ">=net-ww/moinmoin-1.2.3" References == [ 1 ] MoinMoin Announcement https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801 [ 2 ] OSVDB Advisory 8194 http://www.osvdb.org/displayvuln.php?osvdb_id=8194 [ 3 ] OSVDB Advisory 8195 http://www.osvdb.org/displayvuln.php?osvdb_id=8195 Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-25.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpvmvLSZlus7.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200408-23 ] kdelibs: Cross-domain cookie injection vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: kdelibs: Cross-domain cookie injection vulnerability Date: August 24, 2004 Bugs: #61389 ID: 200408-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The cookie manager component in kdelibs contains a vulnerability allowing an attacker to potentially gain access to a user's session on a legitimate web server. Background == KDE is a widely-used desktop environment based on the Qt toolkit. kcookiejar in kdelibs is responsible for storing and managing HTTP cookies. Konqueror uses kcookiejar for storing and managing cookies. Affected packages = --- Package / Vulnerable / Unaffected --- 1 kde-base/kdelibs <= 3.2.3-r1 >= 3.2.3-r2 Description === kcookiejar contains a vulnerability which may allow a malicious website to set cookies for other websites under the same second-level domain. This vulnerability applies to country-specific secondary top level domains that use more than 2 characters in the secondary part of the domain name, and that use a secondary part other than com, net, mil, org, gov, edu or int. However, certain popular domains, such as co.uk, are not affected. Impact == Users visiting a malicious website using the Konqueror browser may have a session cookie set for them by that site. Later, when the user visits another website under the same domain, the attacker's session cookie will be used instead of the cookie issued by the legitimate site. Depending on the design of the legitimate site, this may allow an attacker to gain access to the user's session. For further explanation on this type of attack, see the paper titled "Session Fixation Vulnerability in Web-based Applications" (reference 2). Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of kdelibs. Resolution == All kdelibs users should upgrade to the latest version: # emerge sync # emerge -pv ">=kde-base/kdelibs-3.2.3-r2" # emerge ">=kde-base/kdelibs-3.2.3-r2" References == [ 1 ] KDE Advisory http://www.kde.org/info/security/advisory-20040823-1.txt [ 2 ] Session Fixation Vulnerability in Web-based Applications http://www.acros.si/papers/session_fixation.pdf Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-23.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpOLnsvc9zYw.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200408-20 ] Qt: Image loader overflows
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Qt: Image loader overflows Date: August 22, 2004 Bugs: #60855 ID: 200408-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There are several bugs in Qt's image-handling code which could lead to crashes or arbitrary code execution. Background == Qt is a cross-platform GUI toolkit used by KDE. Affected packages = --- Package / Vulnerable / Unaffected --- 1 x11-libs/qt <= 3.3.2>= 3.3.3 Description === There are several unspecified bugs in the QImage class which may cause crashes or allow execution of arbitrary code as the user running the Qt application. These bugs affect the PNG, XPM, BMP, GIF and JPEG image types. Impact == An attacker may exploit these bugs by causing a user to open a carefully-constructed image file in any one of these formats. This may be accomplished through e-mail attachments (if the user uses KMail), or by simply placing a malformed image on a website and then convicing the user to load the site in a Qt-based browser (such as Konqueror). Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version of Qt. Resolution == All Qt users should upgrade to the latest version: # emerge sync # emerge -pv ">=x11-libs/qt-3.3.3" # emerge ">=x11-libs/qt-3.3.3" References == [ 1 ] Mandrake Advisory http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:085 [ 2 ] Qt 3.3.3 ChangeLog http://www.trolltech.com/developer/changes/changes-3.3.3.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpn3IRvWCSgb.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200408-19 ] courier-imap: Remote Format String Vulnerability
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: courier-imap: Remote Format String Vulnerability Date: August 19, 2004 Bugs: #60865 ID: 200408-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a format string vulnerability in non-standard configurations of courier-imapd which may be exploited remotely. An attacker may be able to execute arbitrary code as the user running courier-imapd (oftentimes root). Background == Courier-IMAP is an IMAP server which is part of the Courier mail system. It provides access only to maildirs. Affected packages = --- Package/ Vulnerable / Unaffected --- 1 net-mail/courier-imap <= 3.0.2-r1 >= 3.0.5 Description === There is a format string vulnerability in the auth_debug() function which can be exploited remotely, potentially leading to arbitrary code execution as the user running the IMAP daemon (oftentimes root). A remote attacker may send username or password information containing printf() format tokens (such as "%s"), which will crash the server or cause it to execute arbitrary code. This vulnerability can only be exploited if DEBUG_LOGIN is set to something other than 0 in the imapd config file. Impact == If DEBUG_LOGIN is enabled in the imapd configuration, a remote attacker may execute arbitrary code as the root user. Workaround == Set the DEBUG_LOGIN option in /etc/courier-imap/imapd to 0. (This is the default value.) Resolution == All courier-imap users should upgrade to the latest version: # emerge sync # emerge -pv ">=net-mail/courier-imap-3.0.5" # emerge ">=net-mail/courier-imap-3.0.5" References == [ 1 ] iDEFENSE Advisory http://www.idefense.com/application/poi/display?id=131&type=vulnerabilities&flashstatus=true Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200408-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpehyR58rI8z.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200407-20 ] Subversion: Vulnerability in mod_authz_svn
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200407-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Subversion: Vulnerability in mod_authz_svn Date: July 26, 2004 Bugs: #57747 ID: 200407-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Users with write access to parts of a Subversion repository may bypass read restrictions in mod_authz_svn and read any part of the repository they wish. Background == Subversion is an advanced version control system, similar to CVS, which supports additional functionality such as the ability to move, copy and delete files and directories. A Subversion server may be run as an Apache module, a standalone server (svnserve), or on-demand over ssh (a la CVS' ":ext:" protocol). The mod_authz_svn Apache module works with Subversion in Apache to limit access to parts of Subversion repositories based on policy set by the administrator. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-util/subversion <= 1.0.4-r1 >= 1.0.6 Description === Users with write access to part of a Subversion repository may bypass read restrictions on any part of that repository. This can be done using an "svn copy" command to copy the portion of a repository the user wishes to read into an area where they have write access. Since copies are versioned, any such copy attempts will be readily apparent. Impact == This is a low-risk vulnerability. It affects only users of Subversion who are running servers inside Apache and using mod_authz_svn. Additionally, this vulnerability may be exploited only by users with write access to some portion of a repository. Workaround == Keep sensitive content separated into different Subversion repositories, or disable the Apache Subversion server and use svnserve instead. Resolution == All Subversion users should upgrade to the latest available version: # emerge sync # emerge -pv ">=dev-util/subversion-1.0.6" # emerve ">=dev-util/subversion-1.0.6" References == [ 1 ] ChangeLog for Subversion 1.0.6 http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200407-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Foundation, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpKeZy7qYOyn.pgp Description: PGP signature
[Full-Disclosure] [ GLSA 200407-01 ] Esearch: Insecure temp file handling
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200407-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Esearch: Insecure temp file handling Date: July 01, 2004 Bugs: #55424 ID: 200407-01 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis The eupdatedb utility in esearch creates a file in /tmp without first checking for symlinks. This makes it possible for any user to create arbitrary files. Background == Esearch is a replacement for the Portage command "emerge search". It uses an index to speed up searching of the Portage tree. Affected packages = --- Package / Vulnerable /Unaffected --- 1 app-portage/esearch <= 0.6.1 >= 0.6.2 Description === The eupdatedb utility uses a temporary file (/tmp/esearchdb.py.tmp) to indicate that the eupdatedb process is running. When run, eupdatedb checks to see if this file exists, but it does not check to see if it is a broken symlink. In the event that the file is a broken symlink, the script will create the file pointed to by the symlink, instead of printing an error and exiting. Impact == An attacker could create a symlink from /tmp/esearchdb.py.tmp to a nonexistent file (such as /etc/nologin), and the file will be created the next time esearchdb is run. Workaround == There is no known workaround at this time. All users should upgrade to the latest available version of esearch. Resolution == All users should upgrade to the latest available version of esearch, as follows: # emerge sync # emerge -pv ">=app-portage/esearch-0.6.2" # emerge ">=app-portage/esearch-0.6.2" Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200407-01.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpuartmydz8R.pgp Description: PGP signature
[Full-Disclosure] [gentoo-announce] [ GLSA 200404-21 ] Multiple Vulnerabilities in Samba
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Multiple Vulnerabilities in Samba Date: April 29, 2004 Bugs: #41800, #45965 ID: 200404-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a bug in smbfs which may allow local users to gain root via a setuid file on a mounted Samba share. Also, there is a tmpfile symlink vulnerability in the smbprint script distributed with Samba. Background == Samba is a package which allows UNIX systems to act as file servers for Windows computers. It also allows UNIX systems to mount shares exported by a Samba/CIFS/Windows server. smbmount is a program in the Samba package which allows normal users on a UNIX system to mount remote shares. smbprint is an example script included in the Samba package which can be used to facilitate network printing. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-fs/samba <= 3.0.2a >= 3.0.2a-r2 Description === Two vulnerabilities have been discovered in Samba. The first vulnerability allows a local user who has access to the smbmount command to gain root. An attacker could place a setuid-root binary on a Samba share/server he or she controls, and then use the smbmount command to mount the share on the target UNIX box. The remote Samba server must support UNIX extensions for this to work. This has been fixed in version 3.0.2a. The second vulnerability is in the smbprint script. By creating a symlink from /tmp/smbprint.log, an attacker could cause the smbprint script to write to an arbitrary file on the system. This has been fixed in version 3.0.2a-r2. Impact == Local users with access to the smbmount command may gain root access. Also, arbitrary files may be overwritten using the smbprint script. Workaround == To workaround the setuid bug, remove the setuid bits from the /usr/bin/smbmnt, /usr/bin/smbumount and /usr/bin/mount.cifs binaries. However, please note that this workaround will prevent ordinary users from mounting remote SMB and CIFS shares. To work around the smbprint vulnerability, set "debug=no" in the smbprint configuration. Resolution == All users should update to the latest version of the Samba package. The following commands will perform the upgrade: # emerge sync # emerge -pv ">=net-fs/samba-3.0.2a-r2" # emerge ">=net-fs/samba-3.0.2a-r2" Those who are using Samba's password database also need to run the following command: # pdbedit --force-initialized-passwords Those using LDAP for Samba passwords also need to check the sambaPwdLastSet attribute on each account, and ensure it is not 0. References == [ 1 ] BugTraq Thread: Samba 3.x + kernel 2.6.x local root vulnerability http://www.securityfocus.com/archive/1/353222/2004-04-09/2004-04-15/1 [ 2 ] BugTraq: smbprint Vulnerability http://seclists.org/lists/bugtraq/2004/Mar/0189.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpkBpw6VILUh.pgp Description: signature
[Full-Disclosure] [ GLSA 200405-14 ] Buffer overflow in Subversion
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200405-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Buffer overflow in Subversion Date: May 20, 2004 Bugs: #51462 ID: 200405-14 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a vulnerability in the Subversion date parsing code which may lead to denial of service attacks, or execution of arbitrary code. Both the client and server are vulnerable. Background == Subversion is a version control system intended to eventually replace CVS. Like CVS, it has an optional client-server architecture (where the server can be an Apache server running mod_svn, or an ssh program as in CVS's :ext: method). In addition to supporting the features found in CVS, Subversion also provides support for moving and copying files and directories. Affected packages = --- Package / Vulnerable /Unaffected --- 1 dev-util/subversion <= 1.0.2 >= 1.0.3 Description === All releases of Subversion prior to 1.0.3 have a vulnerability in the date-parsing code. This vulnerability may allow denial of service or arbitrary code execution as the Subversion user. Both the client and server are vulnerable, and write access is NOT required to the server's repository. Impact == All servers and clients are vulnerable. Specifically, clients that allow other users to write to administrative files in a working copy may be exploited. Additionally all servers (whether they are httpd/DAV or svnserve) are vulnerable. Write access to the server is not required; public read-only Subversion servers are also exploitable. Workaround == There is no known workaround at this time. All users are encouraged to upgrade to the latest available version. Resolution == All Subversion users should upgrade to the latest stable version: # emerge sync # emerge -pv ">=dev-util/subversion-1.0.3" # emerge ">=dev-util/subversion-1.0.3" References == [ 1 ] Subversion Announcement http://subversion.tigris.org/servlets/ReadMsg?list=announce&msgNo=125 [ 2 ] E-Matters Advisory http://security.e-matters.de/advisories/082004.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200405-14.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgpOshQreVhHB.pgp Description: signature
[Full-Disclosure] [ GLSA 200404-21 ] Multiple Vulnerabilities in Samba
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Multiple Vulnerabilities in Samba Date: April 29, 2004 Bugs: #41800, #45965 ID: 200404-21 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There is a bug in smbfs which may allow local users to gain root via a setuid file on a mounted Samba share. Also, there is a tmpfile symlink vulnerability in the smbprint script distributed with Samba. Background == Samba is a package which allows UNIX systems to act as file servers for Windows computers. It also allows UNIX systems to mount shares exported by a Samba/CIFS/Windows server. smbmount is a program in the Samba package which allows normal users on a UNIX system to mount remote shares. smbprint is an example script included in the Samba package which can be used to facilitate network printing. Affected packages = --- Package / Vulnerable / Unaffected --- 1 net-fs/samba <= 3.0.2a >= 3.0.2a-r2 Description === Two vulnerabilities have been discovered in Samba. The first vulnerability allows a local user who has access to the smbmount command to gain root. An attacker could place a setuid-root binary on a Samba share/server he or she controls, and then use the smbmount command to mount the share on the target UNIX box. The remote Samba server must support UNIX extensions for this to work. This has been fixed in version 3.0.2a. The second vulnerability is in the smbprint script. By creating a symlink from /tmp/smbprint.log, an attacker could cause the smbprint script to write to an arbitrary file on the system. This has been fixed in version 3.0.2a-r2. Impact == Local users with access to the smbmount command may gain root access. Also, arbitrary files may be overwritten using the smbprint script. Workaround == To workaround the setuid bug, remove the setuid bits from the /usr/bin/smbmnt, /usr/bin/smbumount and /usr/bin/mount.cifs binaries. However, please note that this workaround will prevent ordinary users from mounting remote SMB and CIFS shares. To work around the smbprint vulnerability, set "debug=no" in the smbprint configuration. Resolution == All users should update to the latest version of the Samba package. The following commands will perform the upgrade: # emerge sync # emerge -pv ">=net-fs/samba-3.0.2a-r2" # emerge ">=net-fs/samba-3.0.2a-r2" Those who are using Samba's password database also need to run the following command: # pdbedit --force-initialized-passwords Those using LDAP for Samba passwords also need to check the sambaPwdLastSet attribute on each account, and ensure it is not 0. References == [ 1 ] BugTraq Thread: Samba 3.x + kernel 2.6.x local root vulnerability http://www.securityfocus.com/archive/1/353222/2004-04-09/2004-04-15/1 [ 2 ] BugTraq: smbprint Vulnerability http://seclists.org/lists/bugtraq/2004/Mar/0189.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-21.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp0.pgp Description: signature
[Full-Disclosure] [ GLSA 200404-19 ] Buffer overflows and format string vulnerabilities in LCDproc
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Buffer overflows and format string vulnerabilities in LCDproc Date: April 27, 2004 Bugs: #47340 ID: 200404-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple remote vulnerabilities have been found in the LCDd server, allowing execution of arbitrary code with the rights of the LCDd user. Background == LCDproc is a program that displays various bits of real-time system information on an LCD. It makes use of a local server (LCDd) to collect information to display on the LCD. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 app-misc/lcdproc <= 0.4.4-r1>= 0.4.5 Description === Due to insufficient checking of client-supplied data, the LCDd server is susceptible to two buffer overflows and one string buffer vulnerability. If the server is configured to listen on all network interfaces (see the Bind parameter in LCDproc configuration), these vulnerabilities can be triggered remotely. Impact == These vulnerabilities allow an attacker to execute code with the rights of the user running the LCDproc server. By default, this is the "nobody" user. Workaround == A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. Resolution == LCDproc users should upgrade to version 0.4.5 or later: # emerge sync # emerge -pv ">=app-misc/lcdproc-0.4.5" # emerge ">=app-misc/lcdproc-0.4.5" References == [ 1 ] LCDproc advisory http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp0.pgp Description: signature
[Full-Disclosure] [ GLSA 200404-20 ] Multiple vulnerabilities in xine
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Multiple vulnerabilities in xine Date: April 27, 2004 Bugs: #45448, #48107, #48108 ID: 200404-20 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Several vulnerabilities have been found in xine-ui and xine-lib, potentially allowing an attacker to overwrite files with the rights of the user. Background == xine is a multimedia player allowing to play back CDs, DVDs, and VCDs and decoding multimedia files like AVI, MOV, WMV, and MP3 from local disk drives, and displays multimedia streamed over the Internet. It is available in Gentoo as a reusable library (xine-lib) with a standard user interface (xine-ui). Affected packages = --- Package /Vulnerable/ Unaffected --- 1 media-video/xine-ui <= 0.9.23-r1>= 0.9.23-r2 2 media-libs/xine-lib <= 1_rc3-r2 >= 1_rc3-r3 --- 2 affected packages on all of their supported architectures. --- Description === Several vulnerabilities were found in xine-ui and xine-lib. By opening a malicious MRL in any xine-lib based media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running the application. By opening a malicious playlist in the xine-ui media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running xine-ui. Finally, a temporary file is created in an insecure manner by the xine-check and xine-bugreport scripts, potentially allowing a local attacker to use a symlink attack. Impact == These three vulnerabilities may alow an attacker to corrupt system files, thus potentially leading to a Denial of Service. It is also theoretically possible, though very unlikely, to use these vulnerabilities to elevate the privileges of the attacker. Workaround == There is no known workaround at this time. All users are advised to upgrade to the latest available versions of xine-ui and xine-lib. Resolution == All users of xine-ui or another xine-based player should upgrade to the latest stable versions: # emerge sync # emerge -pv ">=media-video/xine-ui-0.9.23-r2" # emerge ">=media-video/xine-ui-0.9.23-r2" # emerge -pv ">=media-libs/xine-lib-1_rc3-r3" # emerge ">=media-libs/xine-lib-1_rc3-r3" References == [ 1 ] Xine Security Advisories http://xinehq.de/index.php/security [ 2 ] xine-bugreport and xine-check vulnerability http://nettwerked.mg2.org/advisories/xinebug Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-20.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp0.pgp Description: signature
[Full-Disclosure] [ GLSA 200404-19 ] Buffer overflows and format string
vulnerabilities in LCDproc Date: Mon, 26 Apr 2004 22:19:53 -0700 User-Agent: KMail/1.6.1 Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] MIME-Version: 1.0 X-KMail-Identity: 422776557 Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Boundary-02=_/1ejAdIdlhzyUYy"; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <[EMAIL PROTECTED]> Status: R X-Status: NQ X-KMail-EncryptionState: X-KMail-SignatureState: X-KMail-MDN-Sent: --Boundary-02=_/1ejAdIdlhzyUYy Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Normal Title: Buffer overflows and format string vulnerabilities in LCDproc Date: April 27, 2004 Bugs: #47340 ID: 200404-19 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis Multiple remote vulnerabilities have been found in the LCDd server, allowing execution of arbitrary code with the rights of the LCDd user. Background == LCDproc is a program that displays various bits of real-time system information on an LCD. It makes use of a local server (LCDd) to collect information to display on the LCD. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 app-misc/lcdproc <= 0.4.4-r1>= 0.4.5 Description === Due to insufficient checking of client-supplied data, the LCDd server is susceptible to two buffer overflows and one string buffer vulnerability. If the server is configured to listen on all network interfaces (see the Bind parameter in LCDproc configuration), these vulnerabilities can be triggered remotely. Impact == These vulnerabilities allow an attacker to execute code with the rights of the user running the LCDproc server. By default, this is the "nobody" user. Workaround == A workaround is not currently known for this issue. All users are advised to upgrade to the latest version of the affected package. Resolution == LCDproc users should upgrade to version 0.4.5 or later: # emerge sync # emerge -pv ">=app-misc/lcdproc-0.4.5" # emerge ">=app-misc/lcdproc-0.4.5" References == [ 1 ] LCDproc advisory http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-19.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 --Boundary-02=_/1ejAdIdlhzyUYy Content-Type: application/pgp-signature Content-Description: signature -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) iD4DBQBAje1/aIxeYlQMsxsRAt7hAJjgszRcKkPiY4mQcxAO5meO7WR3AJ0TBk3e Ib4JhXTrQiYGZxur5I+M2w== =NhzA -END PGP SIGNATURE- --Boundary-02=_/1ejAdIdlhzyUYy-- ___ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
[Full-Disclosure] [ GLSA 200404-18 ] Multiple Vulnerabilities in ssmtp
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 200404-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: High Title: Multiple Vulnerabilities in ssmtp Date: April 26, 2004 Bugs: #47918, #48435 ID: 200404-18 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis There are multiple format string vulnerabilities in the SSMTP package, which may allow an attacker to run arbitrary code with ssmtp's privileges (potentially root). Background == SSMTP is a very simple mail transfer agent (MTA) that relays mail from the local machine to another SMTP host. It is not designed to function as a full mail server; its sole purpose is to relay mail. Affected packages = --- Package /Vulnerable/ Unaffected --- 1 net-mail/ssmtp <= 2.60.4-r2>= 2.60.7 Description === There are two format string vulnerabilities inside the log_event() and die() functions of ssmtp. Strings from outside ssmtp are passed to various printf()-like functions from within log_event() and die() as format strings. An attacker could cause a specially-crafted string to be passed to these functions, and potentially cause ssmtp to execute arbitrary code. Impact == If ssmtp connects to a malicious mail relay server, this vulnerability can be used to execute code with the rights of the mail sender, including root. Workaround == There is no known workaround at this time. All users are advised to upgrade to the latest available version of ssmtp. Resolution == All users are advised to upgrade to the latest available version of ssmtp. # emerge sync # emerge -pv ">=net-mail/ssmtp-2.60.7" # emerge ">=net-mail/ssmtp-2.60.7" References == [ 1 ] Secunia Advisory http://secunia.com/advisories/11378/ [ 2 ] CVE Reference http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0156 [ 3 ] Debian Advisory http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00084.html Availability This GLSA and any updates to it are available for viewing at the Gentoo Security Website: http://security.gentoo.org/glsa/glsa-200404-18.xml Concerns? = Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users machines is of utmost importance to us. Any security concerns should be addressed to [EMAIL PROTECTED] or alternatively, you may file a bug at http://bugs.gentoo.org. License === Copyright 2004 Gentoo Technologies, Inc; referenced text belongs to its owner(s). The contents of this document are licensed under the Creative Commons - Attribution / Share Alike license. http://creativecommons.org/licenses/by-sa/1.0 pgp0.pgp Description: signature