Sorry, kebetulan Pak Made lagi "cuti" dan saya sibuk sekali baru
sempat posting sekarang. Pemerhati security Linux dihimbau untuk
"membantu" saya dan Pak Made utk posting, baik announcement maupun
analysis. [NB: utk diskusi umum ttg keamanan bisa di linux-admin].
Berikut rangkuman subject dari postings di edisi ini:
Subject: GnoRPM local /tmp vulnerability
Subject: Re: /bin/su local libc exploit yielding a root shell
Subject: [RHSA-2000:065-04] LPRng contains a critical string format bug
Subject: [RHSA-2000:066-03] lpr has a format string security bug,
LPRng compat issues, and a race cond.
Subject: Immunix OS Security Update for lpr
Subject: ISS Security Advisory: GNU Groff utilities read untrusted
commands from current working directory
Subject: MDKSA-2000:054 - lpr update
Subject: Trustix Security Advisory - apache, traceroute and LPRng
Subject: [RHSA-2000:078-02] traceroute setuid root exploit with multiple
-g options
Subject: [RHSA-2000:077-03] esound contains a race condition
Subject: Immunix OS Security Update for traceroute
Subject: Immunix OS Security Update for esound
Subject: MDKSA-2000:056 - tmpwatch update
Subject: [RHSA-2000:080-01] tmpwatch has a local denial of service and
root exploit
Subject: Trustix Security Advisory - tmpwatch
Subject: Security Update: file view vulnerability in mod_rewrite
Subject: PHP security improved -- Fwd: [ANNOUNCE] PHP 4.0.3 released
Subject: another Xlib buffer overflow
Ronny
----- Forwarded message from Alan Cox <[EMAIL PROTECTED]> -----
> From: Alan Cox <[EMAIL PROTECTED]>
> Reply-To: Alan Cox <[EMAIL PROTECTED]>
> X-Mailer: ELM [version 2.5 PL1]
> Date: Mon, 2 Oct 2000 20:06:14 +0100
> To: [EMAIL PROTECTED]
> Subject: GnoRPM local /tmp vulnerability
>
> While fixing other problems with the gnorpm package a locally exploitable
> security hole was found where a normal user could trick root running GnoRPM
> into writing to arbitary files due to a bug in the gnorpm tmp file handling.
>
> A new release of GnoRPM (0.95.1) is now available. This fixes significant
> numbers of gnorpm bugs including the security hole. Administrators who use
> this program on multi-user machines may well want to update it, and anyone
> who uses it regularly will probably appreciate the fact it now works rather
> better than before.
>
> All versions of GnoRPM before 0.95 are believe vulnerable
>
> MD5Sum:
> 80521433f88fa09899e9105a24c69ef9 gnorpm-0.95.1.tar.gz
>
> Download sites:
> ftp.linux.org.uk:/pub/linux/alan/GNORPM/gnorpm-0.95.1.tar.gz
> ftp.gnome.org:/pub/GNOME/stable/sources/gnorpm/gnorpm-0.95.1.tar.gz (soon)
>
> Linux Vendor Update Information:
>
> Conectiva Linux
> ~~~~~~~~~~~~~~~
> ftp://atualizacoes.conectiva.com.br/
> {4.0,4.0es,5.0,5.1,ferramentas/ecommerce,ferramentas/graficas}
>
> MandrakeSoft
> ~~~~~~~~~~~~
> http://www.linux-mandrake.com/cooker/
>
> Red Hat Linux
> ~~~~~~~~~~~~~
> [URLS to be confirmed]
>
> Linux Vendors Not Shipping Gnorpm
> Caldera OpenLinux
> Debian GNU Linux
>
----- End forwarded message -----
----- Forwarded message from Matt Wilson <[EMAIL PROTECTED]> -----
> From: Matt Wilson <[EMAIL PROTECTED]>
> Reply-To: Matt Wilson <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Wed, 4 Oct 2000 00:59:35 -0400
> To: [EMAIL PROTECTED]
> Subject: Re: /bin/su local libc exploit yielding a root shell
>
> I have been able to verify this exploit on stock Red Hat Linux 6.2,
> and have verified that the rogue message catalog is not read when the
> errata for glibc at:
>
> http://www.redhat.com/support/errata/RHSA-2000-057-04.html
>
> is applied.
>
> Again - Red Hat, Inc. strongly recommends that all users upgrade to
> the glibc errata in RHSA-2000-057-04 as it protects you against this
> and similar exploits.
>
> Cheers,
>
> Matt
> [EMAIL PROTECTED]
>
> On Tue, Oct 03, 2000 at 12:25:14PM +0200, Guido Bakker wrote:
> > /*
> > Hail to thee dear readers,
> >
> > This is yet another /bin/su + buggy locale functions in libc exploit.
> > The reason for writing it is rather easy to explain, all existing versions
> > of "su" format bug exploits were very unreliable and tedious to use - the
> > number of addresses on the stack, and thus the number of %.8x signs to use
> > varied heavily, as well as the alignment. Return adresses were expected to
> > be specified on the command line, which is imho an idiotic thing to combine
> > with all the other options that also are to be 'brute forced'.
> > Finding these values by hand is a too tedious thing to do and costs the
> > average script-kid way too much time. I hoped to solve this in this exploit
> > and have found it to work on many different machines so far by using a
> > small brute forcing perl wrapper.
>
> <code snipped>
>
> > | Guido Bakker <[EMAIL PROTECTED]>
> > | Network Manager
> >
> > MainNet BV, http://www.mainnet.nl
> > Phone: +31 (0)20 6133505
> > Fax: +31 (0)20 6135640
>
----- End forwarded message -----
----- Forwarded message from [EMAIL PROTECTED] -----
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Wed, 4 Oct 2000 12:04:00 -0400
> To: [EMAIL PROTECTED]
> Subject: [RHSA-2000:065-04] LPRng contains a critical string format bug
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: LPRng contains a critical string format bug
> Advisory ID: RHSA-2000:065-04
> Issue date: 2000-09-26
> Updated on: 2000-10-04
> Product: Red Hat Linux
> Keywords: LPRng security lpd printing lpr syslog
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> LPRng has a string format bug in the use_syslog function which could lead
> to root compromise.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 7.0 - i386
>
> 3. Problem description:
>
> LPRng has a string format bug in the use_syslog function. This function
> returns user input in a string that is passed to the syslog() function as
> the format string. It is possible to corrupt the print daemon's execution
> with unexpected format specifiers, thus gaining root access to the
> computer. The vulnerability is theoretically exploitable both locally and
> remotely.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> 17756 - Critical security hole in LPRng, remote root
>
>
> 6. RPMs required:
>
> Red Hat Linux 7.0:
>
> i386:
> ftp://updates.redhat.com/7.0/i386/LPRng-3.6.24-2.i386.rpm
>
> sources:
> ftp://updates.redhat.com/7.0/SRPMS/LPRng-3.6.24-2.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> c1fc795122b067dd9549aceb75bf5694 7.0/SRPMS/LPRng-3.6.24-2.src.rpm
> 05251e71ae5f2d2fdbc6611eea6f8651 7.0/i386/LPRng-3.6.24-2.i386.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> Originally reported to bugtraq by Chris Evans <[EMAIL PROTECTED]> on
> 25 Sep, 2000.
>
>
> Copyright(c) 2000 Red Hat, Inc.
>
----- End forwarded message -----
----- Forwarded message from [EMAIL PROTECTED] -----
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Wed, 4 Oct 2000 13:01:00 -0400
> To: [EMAIL PROTECTED]
> Subject: [RHSA-2000:066-03] lpr has a format string security bug,
> LPRng compat issues, and a race cond.
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: lpr has a format string security bug, LPRng compat issues, and a
>race cond.
> Advisory ID: RHSA-2000:066-03
> Issue date: 2000-09-25
> Updated on: 2000-10-04
> Product: Red Hat Linux
> Keywords: lpr security lpd LPRng
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> lpr has a format string security bug. It also mishandles any extension to
> the lpd communication protocol, and assumes that the instructions contained
> in the extension are a file it should try to print. It also has a race
> condition in the handling of queue interactions that can cause the queue to
> wedge.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 5.0 - i386, alpha
> Red Hat Linux 5.1 - i386, alpha, sparc
> Red Hat Linux 5.2 - i386, alpha, sparc
> Red Hat Linux 6.0 - i386, alpha, sparc
> Red Hat Linux 6.1 - i386, alpha, sparc
> Red Hat Linux 6.2 - i386, alpha, sparc
>
> 3. Problem description:
>
> The old BSD-based lpr which we shipped with Red Hat Linux 5.x and 6.x has a
> recently discovered format string bug in its calls to the syslog facility.
> While we are not aware of any exploits for this issue, it might be possible
> for a user to gain local root access. For this reason, upgrading to the
> new lpr is strongly encouraged.
>
> Additionally, lpr did not properly handle extensions to the lpd protocol.
> LPRng, an advanced replacement for lpr included in Red Hat Linux 7, makes
> use of extensions. The lpr included in Red Hat Linux 6.2 and earlier will
> not recognize these extensions, and attempt to handle the instructions as
> if they were a file to be printed. As a result, the lpr system sends out
> three of the following email messages per print job:
>
> Date: Thu, 10 Aug 2000 21:36:32 -0400
> From: bin <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: lp printer job "(stdin)"
>
> Your printer job ((stdin))
> was not printed because the daemon could not stat the file
>
> Additionaly, a race condition exists in the contention for the lock file,
> making it posible for the queue to get into a wedged state.
>
> These problems are now fixed.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> Additionally, after upgrading, you will want to restart your "lpd" service
> by executing the following as root:
>
> /etc/rc.d/init.d/lpd restart
>
> If you do not need printing at all on your system, we recommend you remove
> the lpr print system:
>
> /etc/rc.d/init.d/lpd stop
> rpm -e lpr
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> 16032 - LPRng lpd/BSD lpd generate stat errors in LPRng->BSD queue interactions.
> 11740 - Race condition in locking for LPD
> 16725 - BSD lpr 0.50-5 Errata Tracking Bug
>
>
> 6. RPMs required:
>
> Red Hat Linux 5.2:
>
> alpha:
> ftp://updates.redhat.com/5.2/alpha/lpr-0.50-7.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/5.2/sparc/lpr-0.50-7.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/5.2/i386/lpr-0.50-7.i386.rpm
>
> sources:
> ftp://updates.redhat.com/5.2/SRPMS/lpr-0.50-7.src.rpm
>
> Red Hat Linux 6.2:
>
> alpha:
> ftp://updates.redhat.com/6.2/alpha/lpr-0.50-7.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/6.2/sparc/lpr-0.50-7.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/6.2/i386/lpr-0.50-7.i386.rpm
>
> sources:
> ftp://updates.redhat.com/6.2/SRPMS/lpr-0.50-7.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> 8320299c73f4fb86ba0ff8738eb363b5 5.2/SRPMS/lpr-0.50-7.src.rpm
> ed03f53623add36f3b6da694c49c89c2 5.2/alpha/lpr-0.50-7.alpha.rpm
> bf72425f9ddb0f8d9e2643fbea360f23 5.2/i386/lpr-0.50-7.i386.rpm
> cc2da623757572ed07ab4d88c57422ae 5.2/sparc/lpr-0.50-7.sparc.rpm
> f6082e546a94575ab4c147bc9440bdd1 6.2/SRPMS/lpr-0.50-7.src.rpm
> eaade33acd33346611b7171c2dd7ea03 6.2/alpha/lpr-0.50-7.alpha.rpm
> 542a70425ac1b75fb78880fc08f01986 6.2/i386/lpr-0.50-7.i386.rpm
> 81a48e5d2d91d54d4ea8a4f9c89d5a41 6.2/sparc/lpr-0.50-7.sparc.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> Thanks go to Chris Evans <[EMAIL PROTECTED]> for spotting this in the
> OpenBSD lpr CVS commit logs, and verifying the problem existed for Linux as
> well.
>
>
> Copyright(c) 2000 Red Hat, Inc.
>
----- End forwarded message -----
----- Forwarded message from Greg KH <[EMAIL PROTECTED]> -----
> From: Greg KH <[EMAIL PROTECTED]>
> Reply-To: Greg KH <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Wed, 4 Oct 2000 11:12:37 -0700
> To: [EMAIL PROTECTED]
> Subject: Immunix OS Security Update for lpr
>
> RedHat has put out an update to the lpr package due to a potential
> format string security bug found (see
> http://www.securityfocus.com/archive/1/137495 for more information on
> this problem.)
>
> I have built packages for this update for Immunix OS 6.2 (StackGuarded
> versions of the RedHat packages.) They can be found at:
>
> http://immunix.org:8080/ImmunixOS/6.2/updates/RPMS/lpr-0.50-7_StackGuard.i386.rpm
>
> or
>
> http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/lpr-0.50-7_StackGuard.src.rpm
>
> md5sums of the packages:
>
> 5f08dd8fadc05e71bbdafad6b2744dc8 lpr-0.50-7_StackGuard.i386.rpm
> 641637b987c94c9d3644946e4b006007 lpr-0.50-7_StackGuard.src.rpm
>
>
> Thanks,
>
> greg k-h
>
> --
> greg@(kroah|wirex).com
>
----- End forwarded message -----
----- Forwarded message from Aleph One <[EMAIL PROTECTED]> -----
> From: Aleph One <[EMAIL PROTECTED]>
> Reply-To: Aleph One <[EMAIL PROTECTED]>
> Date: Wed, 4 Oct 2000 15:51:22 -0700
> To: [EMAIL PROTECTED]
> Subject: ISS Security Advisory: GNU Groff utilities read untrusted
> commands from current working directory
>
> -----BEGIN PGP SIGNED MESSAGE-----
>
> Internet Security Systems Security Advisory
> October 4, 2000
>
> GNU Groff utilities read untrusted commands from current working
> directory
>
> Synopsis:
>
> Internet Security Systems (ISS) has identified vulnerabilities in several
> utilities that ship as part of the Groff document formatting system package.
>
> By default, the "troff" program reads its "troffrc" initialization file from
> the current working directory. From a security standpoint, it would be
> desirable to restrict the searchable path for this file to the invoker's
> home directory and/or a trusted system. Unfortunately, this could present
> problems for programs that depend on the current behavior.
>
> The "groff" program, a front-end for troff, has a similar problem. It looks
> for the appropriate device description file (as given by the -T parameter, or
> "ps" by default) using devname/DESC in the current working directory. The
> device description file may contain an optional "postpro" directive, which
> defines a command to be run after normal processing. A malicious user could
> place a trojan device description file in a world-writable directory
> (i.e. /tmp), after which any invocations of groff from that directory are
> unsafe.
>
> Impact:
>
> Unsuspecting users, including root, could be coerced into running arbitrary
> commands on the system.
>
> The vulnerability is particularly dangerous in Linux distributions that have
> the "lesspipe" feature. By default, a "LESSOPEN" environment variable is set
> which points to a wrapper script for the "less" pager program named
> "/usr/bin/lesspipe.sh". If less is passed a filename with any of the
> extensions ".1" through ".9", ".n", or ".man", it automatically calls groff
> to handle the file.
>
> Description:
>
> Troff is a document processor that ships with most Unix systems. Among other
> functions, it formats system manual pages into human-readable form. The GNU
> Groff package includes "troff", the main processing program, and "groff", a
> front-end for troff. Typically, troff is invoked by groff.
>
> Troff supports a set of potentially dangerous macros: "open", "opena", "pso",
> "sy", and "pi", which provide the means to write to files and execute
> external commands. For example, "opena" opens a file for writing in append
> mode and "sy" performs a C system() call with the specified argument.
>
> The default in groff is that these dangerous macros are disabled. This is
> accomplished by another macro defined in the file "tmac.safer". Unless
> overridden by the -U (unsafe) flag, the groff program passes troff the
> flag "-msafer", which instructs troff to process the tmac.safer macro
> before the input file. However, before troff processes the tmac.safer macro,
> it first looks for a "troffrc" initialization file. If one is found, it
> executes the commands found therein first, bypassing the dangerous macro
> protection. As mentioned above, troff looks for this initialization file in
> the current directory, creating a potentially dangerous situation.
>
> Groff (speaking of the actual program now, not the package as a whole) is
> a front-end for troff. It supports a variety of devices. For example, the
> PostScript device is named "ps" and allows groff to generate output that
> is fit to print on PostScript printers. There is a device for HTML, and one
> called "ascii" that's used to pretty-print text on typewriter-like devices.
>
> Each device supported by groff has a corresponding directory of the name
> "dev<name>", where <name> is "ps", "ascii", etc. These directories are
> typically installed under some trusted path on the system, i.e., /usr/lib.
> The device description file is named "dev<name>/DESC". Since groff blindly
> trusts "DESC" files contained under the current directory hierarchy, an
> attacker may be able to fool another user into running any arbitrary
> command using the "postpro" directive.
>
> Solar Designer <[EMAIL PROTECTED]> points out that the aforementioned files
> are not alone in the set that may be accessed from the current directory.
> Other hard-coded filenames, such as "troffrc-end", could fall within the `.'
> search path as well (troffrc-end is loaded after the -msafer macros, though).
> In fact, the macro files themselves reference other files that could reside
> in the current directory.
>
> Recommendations:
>
> Both administrators and users should exercise caution and not run "groff",
> "troff", or even the "man" command from untrusted directories.
>
> Internet Security Systems has not received a response from the current GNU
> Groff maintainer. In the interest of accelerating the elimination of these
> vulnerabilities, this advisory is being disseminated to the open source
> community for public discussion.
>
> Internet Security Systems recognizes that reading from the current directory
> is traditional groff/troff behavior, and that in many document-creating
> scenarios it is actually a useful `feature'. One possibility could be to not
> trust the current directory at all by default, perhaps requiring a special
> command line option to revert to the old behavior. At any rate, the fix is
> not obvious, as per Solar Designer's analysis.
>
> Note that troff's -R option ("Don't load troffrc") does not eliminate the
> problem.
>
> Additional Information:
>
> The dangerous Troff macros were discussed on the BUGTRAQ mailing list in
> July, 1999 on a thread under the subject heading of "Troff dangerous". A
> searchable archive of the BUGTRAQ list is at: http://www.securityfocus.com.
>
> The Groff package can be found at the following FTP location:
>
> ftp://ftp.gnu.org/pub/gnu/groff
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the name
> CAN-2000-0803 to this issue. This is a candidate for inclusion in the CVE
> list (http://cve.mitre.org), which standardizes names for security problems.
>
>
> Credits:
>
> This vulnerability was discovered and researched by Aaron Campbell and
> Allen Wilson of the ISS X-Force. Internet Security Systems would like to
> acknowledge Solar Designer for his analysis of this problem.
>
> _______
>
> About Internet Security Systems (ISS)
> Internet Security Systems (ISS) is a leading global provider of security
> management solutions for the Internet. By providing industry-leading
> SAFEsuite security software, remote managed security services, and
> strategic consulting and education offerings, ISS is a trusted security
> provider to its customers, protecting digital assets and ensuring safe
> and uninterrupted e-business. ISS' security management solutions protect
> more than 5,500 customers worldwide including 21 of the 25 largest U.S.
> commercial banks, 10 of the largest telecommunications companies and
> over 35 government agencies. Founded in 1994, ISS is headquartered in
> Atlanta, GA, with additional offices throughout North America and
> international operations in Asia, Australia, Europe, Latin America and
> the Middle East. For more information, visit the Internet Security
> Systems web site at www.iss.net or call 888-901-7477.
>
> Copyright (c) 2000 by Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express
> consent of the X-Force. If you wish to reprint the whole or any part of
> this Alert in any other medium excluding electronic medium, please
> e-mail [EMAIL PROTECTED] for permission.
>
> Disclaimer
>
> The information within this paper may change without notice. Use of this
> information constitutes acceptance for use in an AS IS condition. There
> are NO warranties with regard to this information. In no event shall the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well
> as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force
> [EMAIL PROTECTED] of Internet Security Systems, Inc.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOdtMgDRfJiV99eG9AQEqXAP8CH24N8b+q0Die6b44NRGEsHe1byU+OKt
> VfTRPZMo/Ag8gv/ENSFuXt6B2TFKLEvM7uZlJuKnmAnKtIQIpaFh6J6TXPWki2V3
> UghnlMQaIftSBNI/dKaxjMvzjHngNrR8dgrUdJj/I8lRK6UlRJy5U9jeFBXcVuJ6
> HwJU3t9ySIo=
> =FxuE
> -----END PGP SIGNATURE-----
>
----- End forwarded message -----
----- Forwarded message from Linux Mandrake Security Team
<[EMAIL PROTECTED]> -----
> From: Linux Mandrake Security Team <[EMAIL PROTECTED]>
> Reply-To: Linux Mandrake Security Team <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Thu, 5 Oct 2000 10:38:09 -0600
> To: [EMAIL PROTECTED]
> Subject: MDKSA-2000:054 - lpr update
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ________________________________________________________________________
>
> Linux-Mandrake Security Update Advisory
> ________________________________________________________________________
>
> Package name: lpr
> Date: October 4th, 2000
> Advisory ID: MDKSA-2000:054
>
> Affected versions: 6.0, 6.1, 7.0, 7.1
> ________________________________________________________________________
>
> Problem Description:
>
> There is a format string bug in lpr with its calls to the syslog
> facility. There are no known exploits at ths time, but it may be
> possible for a user to gain local root access. This new lpr fixes
> this problem.
> ________________________________________________________________________
>
> Please verify these md5 checksums of the updates prior to upgrading to
> ensure the integrity of the downloaded package. You can do this by
> running the md5sum program on the downloaded package by using
> "md5sum package.rpm".
>
> Linux-Mandrake 6.0:
> d19963294f539c64a4e852fb3f1f8c89 6.0/RPMS/lpr-0.50-3mdk.i586.rpm
> 6026033d4fe19be43694a653d495af0a 6.0/SRPMS/lpr-0.50-3mdk.src.rpm
>
> Linux-Mandrake 6.1:
> 128b012e397473163c1e2c1ed4b78806 6.1/RPMS/lpr-0.50-3mdk.i586.rpm
> 6026033d4fe19be43694a653d495af0a 6.1/SRPMS/lpr-0.50-3mdk.src.rpm
>
> Linux-Mandrake 7.0:
> 0ce870aa142c3482bdd0ad7b72a422c1 7.0/RPMS/lpr-0.50-3mdk.i586.rpm
> 6026033d4fe19be43694a653d495af0a 7.0/SRPMS/lpr-0.50-3mdk.src.rpm
>
> Linux-Mandrake 7.1:
> 6d82c047a905fea7edecc9bed347eae0 7.1/RPMS/lpr-0.50-3mdk.i586.rpm
> 6026033d4fe19be43694a653d495af0a 7.1/SRPMS/lpr-0.50-3mdk.src.rpm
> ________________________________________________________________________
>
> To upgrade automatically, use � MandrakeUpdate �.
>
> If you want to upgrade manually, download the updated package from one
> of our FTP server mirrors and uprade with "rpm -Uvh package_name".
>
> You can download the updates directly from:
> ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
> ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
>
> Or try one of the other mirrors listed at:
>
> http://www.linux-mandrake.com/en/ftp.php3.
>
> Updated packages are available in the "updates/[ver]/RPMS/" directory.
> For example, if you are looking for an updated RPM package for
> Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source
> RPMs are available as well, but you generally do not need to download
> them.
>
> Please be aware that sometimes it takes the mirrors a few hours to
> update, so if you want an immediate upgrade, please use one of the two
> above-listed mirrors.
>
> You can view other security advisories for Linux-Mandrake at:
>
> http://www.linux-mandrake.com/en/security/
>
> If you want to report vulnerabilities, please contact
>
> [EMAIL PROTECTED]
> ________________________________________________________________________
>
> Linux-Mandrake has two security-related mailing list services that
> anyone can subscribe to:
>
> [EMAIL PROTECTED]
>
> Linux-Mandrake's security announcements mailing list. Only
> announcements are sent to this list and it is read-only.
>
> [EMAIL PROTECTED]
>
> Linux-Mandrake's security discussion mailing list. This list is open
> to anyone to discuss Linux-Mandrake security specifically and Linux
> security in general.
>
> To subscribe to either list, send a message to
> [EMAIL PROTECTED]
> with "subscribe [listname]" in the body of the message.
>
> To remove yourself from either list, send a message to
> [EMAIL PROTECTED]
> with "unsubscribe [listname]" in the body of the message.
>
> To get more information on either list, send a message to
> [EMAIL PROTECTED]
> with "info [listname]" in the body of the message.
>
> Optionally, you can use the web interface to subscribe to or unsubscribe
> from either list:
>
> http://www.linux-mandrake.com/en/flists.php3#security
> ________________________________________________________________________
>
> Type Bits/KeyID Date User ID
> pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
> <[EMAIL PROTECTED]>
>
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
> L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
> WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
> P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
> hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
> PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
> 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
> iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
> LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
> ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
> PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
> /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulq5AQ0EOWnn
> 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
> 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
> Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
> +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
> Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
> 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
> RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
> lA==
> =WxWn
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE52+zkmqjQ0CJFipgRAgmkAJ9BHNE789TpIHhhN8Bd1S41CpwhXACdGHym
> vNy6B2piYKA4DEEhYJ4u1g8=
> =6Whs
> -----END PGP SIGNATURE-----
>
----- End forwarded message -----
----- Forwarded message from Oystein Viggen <[EMAIL PROTECTED]> -----
> From: Oystein Viggen <[EMAIL PROTECTED]>
> Reply-To: Oystein Viggen <[EMAIL PROTECTED]>
> User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Arches)
> Date: Fri, 6 Oct 2000 12:41:52 +0200
> To: [EMAIL PROTECTED]
> Subject: Trustix Security Advisory - apache, traceroute and LPRng
>
> Hi
>
> Due to recently discovered security holes, we have released several
> updates for Trustix Secure Linux v1.1 and 1.0x. Users of the recent BETA
> version should also install these packages.
>
> The new packages are:
>
> * traceroute-1.4a5-18tr.i586.rpm
> - Fixes local exploit recently discussed on bugtraq.
>
> * apache-1.3.12-6tr.i586.rpm
> * apache-devel-1.3.12-6tr.i586.rpm
> * apache-ssl-1.3.12_1.39-8tr.i586.rpm
> - Fix a remote exploit possible under certain circumstances in
> mod_rewrite.
>
> * LPRng-3.6.24-1tr.i586.rpm
> - Fix remotely exploitable improper use of syslog in some places
>
> MD5sums:
> 688e83f1cd3c679cf5e52ecef29b01a0 apache-1.3.12-6tr.i586.rpm
> a00d7ef794973961f099ef71e38259c5 apache-devel-1.3.12-6tr.i586.rpm
> 1aafa759655a998eb79bea314d8e9149 apache-ssl-1.3.12_1.39-8tr.i586.rpm
> ebd7859ff9f63f53ae1c23088bd9684c LPRng-3.6.24-1tr.i586.rpm
> 906a5b62f1e4232a826ecf2a94fc5c6f traceroute-1.4a5-18tr.i586.rpm
>
> The new packages can be found at:
> http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
> or:
> ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
>
> Note that due to lazy firewall administrators, the ftp site currently
> only supports ACTIVE ftp. This will be fixed shortly.
>
> Oystein
> --
> Trustix developer
>
----- End forwarded message -----
----- Forwarded message from [EMAIL PROTECTED] -----
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 6 Oct 2000 17:21:00 -0400
> To: [EMAIL PROTECTED]
> Subject: [RHSA-2000:078-02] traceroute setuid root exploit with multiple
> -g options
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: traceroute setuid root exploit with multiple -g options
> Advisory ID: RHSA-2000:078-02
> Issue date: 2000-10-06
> Updated on: 2000-10-06
> Product: Red Hat Linux
> Keywords: traceroute setuid root exploit
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> a root exploit and several additional bugs in traceroute have been
> corrected.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 5.0 - i386, alpha, sparc
> Red Hat Linux 5.1 - i386, alpha, sparc
> Red Hat Linux 5.2 - i386, alpha, sparc
> Red Hat Linux 6.0 - i386, alpha, sparc
> Red Hat Linux 6.1 - i386, alpha, sparc
> Red Hat Linux 6.2 - i386, alpha, sparc
>
> 3. Problem description:
>
> A root exploit due to a segfault when using multiple -g options is fixed
> for Red Hat Linux 6.x and Red Hat Linux 5.x.
>
> A potential denial-of-service attack is alleviated by enforcing a maximum
> buffer size of 64Kb.
>
> On Red Hat Linux 6.x, loose source routing (LSRR) now works correctly.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> 18466 - traceroute: local root exploit now exists
> 13466 - segfault while parsing multiple -g arguments
> 15917 - Maksimum packetlength checked badly (Local DoS)
> 16281 - traceroute LSRR broken
>
>
> 6. RPMs required:
>
> Red Hat Linux 5.x:
>
> alpha:
> ftp://updates.redhat.com/5.2/alpha/traceroute-1.4a5-24.5x.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/5.2/sparc/traceroute-1.4a5-24.5x.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/5.2/i386/traceroute-1.4a5-24.5x.i386.rpm
>
> sources:
> ftp://updates.redhat.com/5.2/SRPMS/traceroute-1.4a5-24.5x.src.rpm
>
> Red Hat Linux 6.x:
>
> alpha:
> ftp://updates.redhat.com/6.2/alpha/traceroute-1.4a5-24.6x.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/6.2/sparc/traceroute-1.4a5-24.6x.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/6.2/i386/traceroute-1.4a5-24.6x.i386.rpm
>
> sources:
> ftp://updates.redhat.com/6.2/SRPMS/traceroute-1.4a5-24.6x.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> 1fe1fb918271526d5d4e22046f1da776 5.2/SRPMS/traceroute-1.4a5-24.5x.src.rpm
> 25a92211082e65df9f89fd71ac7a6888 5.2/alpha/traceroute-1.4a5-24.5x.alpha.rpm
> 2fc1c66152f3fbd723b695472aadc0a6 5.2/i386/traceroute-1.4a5-24.5x.i386.rpm
> d60c337c3fa3d23ba2c1cde082c8fee5 5.2/sparc/traceroute-1.4a5-24.5x.sparc.rpm
> 9fc2151d7cca01185add0ed085efcde0 6.2/SRPMS/traceroute-1.4a5-24.6x.src.rpm
> f279d9e415a7d806daae86e8112fe8c6 6.2/alpha/traceroute-1.4a5-24.6x.alpha.rpm
> 49bd824f9f4784ce9c45fa54285c7aa0 6.2/i386/traceroute-1.4a5-24.6x.i386.rpm
> 498a1e08221e1d9e0115edb7f34ecef9 6.2/sparc/traceroute-1.4a5-24.6x.sparc.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> Thanks to Pekka Savola <[EMAIL PROTECTED]> for discovering the flaw.
>
> See http://www.securityfocus.com/archive/1/136215 for a complete summary of
> the flaw.
>
>
> Copyright(c) 2000 Red Hat, Inc.
>
----- End forwarded message -----
----- Forwarded message from [EMAIL PROTECTED] -----
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 6 Oct 2000 17:13:00 -0400
> To: [EMAIL PROTECTED]
> Subject: [RHSA-2000:077-03] esound contains a race condition
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: esound contains a race condition
> Advisory ID: RHSA-2000:077-03
> Issue date: 2000-10-06
> Updated on: 2000-10-06
> Product: Red Hat Linux
> Keywords: esound security esd socket Gnome
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> Esound, the Gnome sound server, contains a race condition that a malicious
> user could exploit to change permissions of any file owned by the esound
> user.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 6.0 - i386, alpha, sparc
> Red Hat Linux 6.1 - i386, alpha, sparc
> Red Hat Linux 6.2 - i386, alpha, sparc
> Red Hat Linux 6.2EE - i386, alpha, sparc
> Red Hat Linux 7.0 - i386
> Red Hat Linux 7.0J - i386
>
> 3. Problem description:
>
> Esound, the sound daemon used for Gnome, creates a world-writable
> directory, /tmp/.esd. This directory is owned by the user running esound,
> and is used to store a socket which is used by programs connecting to the
> sound server. During startup, this socket's permissions are adjusted. An
> attacker on the system can theoretically create a symbolic link, and cause
> any file or directory owned by the user running esound to be made
> world writable.
>
> The new packages fixes this race condition.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> All active Gnome sessions should also be restarted after the upgrade is
> applied.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> N/A
>
> 6. RPMs required:
>
> Red Hat Linux 6.x:
>
> alpha:
> ftp://updates.redhat.com/6.2/alpha/esound-0.2.20-0.alpha.rpm
> ftp://updates.redhat.com/6.2/alpha/esound-devel-0.2.20-0.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/6.2/sparc/esound-0.2.20-0.sparc.rpm
> ftp://updates.redhat.com/6.2/sparc/esound-devel-0.2.20-0.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/6.2/i386/esound-0.2.20-0.i386.rpm
> ftp://updates.redhat.com/6.2/i386/esound-devel-0.2.20-0.i386.rpm
>
> sources:
> ftp://updates.redhat.com/6.2/SRPMS/esound-0.2.20-0.src.rpm
>
> Red Hat Linux 7.0:
>
> i386:
> ftp://updates.redhat.com/7.0/i386/esound-0.2.20-1.i386.rpm
> ftp://updates.redhat.com/7.0/i386/esound-devel-0.2.20-1.i386.rpm
>
> sources:
> ftp://updates.redhat.com/7.0/SRPMS/esound-0.2.20-1.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> 4f7a81fe6b7f5a419272659b92d1dfc1 6.2/SRPMS/esound-0.2.20-0.src.rpm
> 648746086daa7bbc6bef00697e62bf51 6.2/alpha/esound-0.2.20-0.alpha.rpm
> 8a7dbf7dabbd7d9ca2861c1ecf2b2d5f 6.2/alpha/esound-devel-0.2.20-0.alpha.rpm
> 962fa1129804f2d8470e1767a352f77f 6.2/i386/esound-0.2.20-0.i386.rpm
> 784ec77026228d31d823e619c1de78d8 6.2/i386/esound-devel-0.2.20-0.i386.rpm
> 2127fdd7654b80506952dce08c3f5014 6.2/sparc/esound-0.2.20-0.sparc.rpm
> 0c191eee05a89dc0d12b3ca4981d2353 6.2/sparc/esound-devel-0.2.20-0.sparc.rpm
> 24f8e1b106500565e8426ad96150a001 7.0/SRPMS/esound-0.2.20-1.src.rpm
> a61209acb87ed7f4fa5b1d63d161c85d 7.0/i386/esound-0.2.20-1.i386.rpm
> 6b326c66d570ee59eda7c2daf0ab4721 7.0/i386/esound-devel-0.2.20-1.i386.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> BugTraq ID: 1659 (http://www.securityfocus.com/bid/1659)
>
>
> Copyright(c) 2000 Red Hat, Inc.
>
----- End forwarded message -----
----- Forwarded message from Greg KH <[EMAIL PROTECTED]> -----
> From: Greg KH <[EMAIL PROTECTED]>
> Reply-To: Greg KH <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Fri, 6 Oct 2000 16:55:11 -0700
> To: [EMAIL PROTECTED]
> Subject: Immunix OS Security Update for traceroute
>
> RedHat has put out an update to the traceroute package due to a potential
> root exploit and a bug fix for several other potential problems (see
> http://www.securityfocus.com/archive/1/138072 for more information on
> this problem.)
>
> I have built packages for this update for Immunix OS 6.2 (StackGuarded
> versions of the RedHat packages.) They can be found at:
>
>
>http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/traceroute-1.4a5-24.6x_StackGuard.i386.rpm
>
> or
>
>
>http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/traceroute-1.4a5-24.6x_StackGuard.src.rpm
>
> md5sums of the packages:
>
> cb497c4c15ca728056d5e20d4378a3f0 traceroute-1.4a5-24.6x_StackGuard.i386.rpm
> 28e3976fde67394f7703d329aedfbe4a traceroute-1.4a5-24.6x_StackGuard.src.rpm
>
> Thanks,
>
> greg k-h
>
> --
> greg@(kroah|wirex).com
>
----- End forwarded message -----
----- Forwarded message from Greg KH <[EMAIL PROTECTED]> -----
> From: Greg KH <[EMAIL PROTECTED]>
> Reply-To: Greg KH <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Fri, 6 Oct 2000 16:50:57 -0700
> To: [EMAIL PROTECTED]
> Subject: Immunix OS Security Update for esound
>
> RedHat has put out an update to the esound package due to a potential
> race condition that a malicious user could exploit (see
> http://www.securityfocus.com/archive/1/138073 for more information on
> this problem.)
>
> I have built packages for this update for Immunix OS 6.2 (StackGuarded
> versions of the RedHat packages.) They can be found at:
>
>
>http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-0.2.20-0_StackGuard.i386.rpm
>
>http://www.immunix.org:8080/ImmunixOS/6.2/updates/RPMS/esound-devel-0.2.20-0_StackGuard.i386.rpm
>
> or
>
>
>http://www.immunix.org:8080/ImmunixOS/6.2/updates/SRPMS/esound-0.2.20-0_StackGuard.src.rpm
>
> md5sums of the packages:
>
> ab285ded3a6e451d294ed2f056d7df80 esound-0.2.20-0_StackGuard.i386.rpm
> 32aa9119cd251579077cbec3f02bac9d esound-devel-0.2.20-0_StackGuard.i386.rpm
> 007dc904a2e448839133811c1436760d esound-0.2.20-0_StackGuard.src.rpm
>
> Thanks,
>
> greg k-h
>
> --
> greg@(kroah|wirex).com
>
----- End forwarded message -----
----- Forwarded message from Linux Mandrake Security Team
<[EMAIL PROTECTED]> -----
> From: Linux Mandrake Security Team <[EMAIL PROTECTED]>
> Reply-To: Linux Mandrake Security Team <[EMAIL PROTECTED]>
> User-Agent: Mutt/1.2.5i
> Date: Sat, 7 Oct 2000 13:28:27 -0600
> To: [EMAIL PROTECTED]
> Subject: MDKSA-2000:056 - tmpwatch update
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ________________________________________________________________________
>
> Linux-Mandrake Security Update Advisory
> ________________________________________________________________________
>
> Package name: tmpwatch
> Date: October 7th, 2000
> Advisory ID: MDKSA-2000:056
>
> Affected versions: 6.0, 6.1, 7.0, 7.1
> ________________________________________________________________________
>
> Problem Description:
>
> Previous versions of tmpwatch contained a local denial of service and
> root exploits. This is due to using the fork() command to recursively
> process subdirectories which would allow a local user to perform a
> denial of service attack.
> ________________________________________________________________________
>
> Please verify these md5 checksums of the updates prior to upgrading to
> ensure the integrity of the downloaded package. You can do this by
> running the md5sum program on the downloaded package by using
> "md5sum package.rpm".
>
> Linux-Mandrake 6.0:
> d6e7442f4c3a9af30e9158e7ae9ecf72 6.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
> 93541933fc92134a4954db3decbe2b31 6.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
>
> Linux-Mandrake 6.1:
> 04b86f78b1bf908219c5ddc94767c7a8 6.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
> 93541933fc92134a4954db3decbe2b31 6.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
>
> Linux-Mandrake 7.0:
> 07267b2907b9e9454a967c4323b17f17 7.0/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
> 93541933fc92134a4954db3decbe2b31 7.0/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
>
> Linux-Mandrake 7.1:
> 04e2717f14f0b4f8f991ea9cc0926b2e 7.1/RPMS/tmpwatch-2.6.2-1mdk.i586.rpm
> 93541933fc92134a4954db3decbe2b31 7.1/SRPMS/tmpwatch-2.6.2-1mdk.src.rpm
> ________________________________________________________________________
>
> To upgrade automatically, use � MandrakeUpdate �.
>
> If you want to upgrade manually, download the updated package from one
> of our FTP server mirrors and uprade with "rpm -Uvh package_name".
>
> You can download the updates directly from:
> ftp://ftp.linux.tucows.com/pub/distributions/Mandrake/Mandrake/updates
> ftp://ftp.free.fr/pub/Distributions_Linux/Mandrake/updates
>
> Or try one of the other mirrors listed at:
>
> http://www.linux-mandrake.com/en/ftp.php3.
>
> Updated packages are available in the "updates/[ver]/RPMS/" directory.
> For example, if you are looking for an updated RPM package for
> Linux-Mandrake 7.1, look for it in "updates/7.1/RPMS/". Updated source
> RPMs are available as well, but you generally do not need to download
> them.
>
> Please be aware that sometimes it takes the mirrors a few hours to
> update, so if you want an immediate upgrade, please use one of the two
> above-listed mirrors.
>
> You can view other security advisories for Linux-Mandrake at:
>
> http://www.linux-mandrake.com/en/security/
>
> If you want to report vulnerabilities, please contact
>
> [EMAIL PROTECTED]
> ________________________________________________________________________
>
> Linux-Mandrake has two security-related mailing list services that
> anyone can subscribe to:
>
> [EMAIL PROTECTED]
>
> Linux-Mandrake's security announcements mailing list. Only
> announcements are sent to this list and it is read-only.
>
> [EMAIL PROTECTED]
>
> Linux-Mandrake's security discussion mailing list. This list is open
> to anyone to discuss Linux-Mandrake security specifically and Linux
> security in general.
>
> To subscribe to either list, send a message to
> [EMAIL PROTECTED]
> with "subscribe [listname]" in the body of the message.
>
> To remove yourself from either list, send a message to
> [EMAIL PROTECTED]
> with "unsubscribe [listname]" in the body of the message.
>
> To get more information on either list, send a message to
> [EMAIL PROTECTED]
> with "info [listname]" in the body of the message.
>
> Optionally, you can use the web interface to subscribe to or unsubscribe
> from either list:
>
> http://www.linux-mandrake.com/en/flists.php3#security
> ________________________________________________________________________
>
> Type Bits/KeyID Date User ID
> pub 1024D/22458A98 2000-07-10 Linux Mandrake Security Team
> <[EMAIL PROTECTED]>
>
>
> - -----BEGIN PGP PUBLIC KEY BLOCK-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> mQGiBDlp594RBAC2tDozI3ZgQsE7XwxurJCJrX0L5vx7SDByR5GHDdWekGhdiday
> L4nfUax+SeR9SCoCgTgPW1xB8vtQc8/sinJlMjp9197a2iKM0FOcPlkpa3HcOdt7
> WKJqQhlMrHvRcsivzcgqjH44GBBJIT6sygUF8k0lU6YnMHj5MPc/NGWt8wCg9vKo
> P0l5QVAFSsHtqcU9W8cc7wMEAJzQsAlnvPXDBfBLEH6u7ptWFdp0GvbSuG2wRaPl
> hynHvRiE01ZvwbJZXsPsKm1z7uVoW+NknKLunWKB5axrNXDHxCYJBzY3jTeFjsqx
> PFZkIEAQphLTkeXXelAjQ5u9tEshPswEtMvJvUgNiAfbzHfPYmq8D6x5xOw1IySg
> 2e/LBACxr2UJYCCB2BZ3p508mAB0RpuLGukq+7UWiOizy+kSskIBg2O7sQkVY/Cs
> iyGEo4XvXqZFMY39RBdfm2GY+WB/5NFiTOYJRKjfprP6K1YbtsmctsX8dG+foKsD
> LLFs7OuVfaydLQYp1iiN6D+LJDSMPM8/LCWzZsgr9EKJ8NXiyrQ6TGludXggTWFu
> ZHJha2UgU2VjdXJpdHkgVGVhbSA8c2VjdXJpdHlAbGludXgtbWFuZHJha2UuY29t
> PohWBBMRAgAWBQI5aefeBAsKBAMDFQMCAxYCAQIXgAAKCRCaqNDQIkWKmK6LAKCy
> /NInDsaMSI+WHwrquwC5PZrcnQCeI+v3gUDsNfQfiKBvQSANu1hdulq5AQ0EOWnn
> 7xAEAOQlTVY4TiNo5V/iP0J1xnqjqlqZsU7yEBKo/gZz6/+hx75RURe1ebiJ9F77
> 9FQbpJ9Epz1KLSXvq974rnVb813zuGdmgFyk+ryA/rTR2RQ8h+EoNkwmATzRxBXV
> Jb57fFQjxOu4eNjZAtfII/YXb0uyXXrdr5dlJ/3eXrcO4p0XAAMFBACCxo6Z269s
> +A4v8C6Ui12aarOQcCDlV8cVG9LkyatU3FNTlnasqwo6EkaP572448weJWwN6SCX
> Vl+xOYLiK0hL/6Jb/O9Agw75yUVdk+RMM2I4fNEi+y4hmfMh2siBv8yEkEvZjTcl
> 3TpkTfzYky85tu433wmKaLFOv0WjBFSikohGBBgRAgAGBQI5aefvAAoJEJqo0NAi
> RYqYid0AoJgeWzXrEdIClBOSW5Q6FzqJJyaqAKC0Y9YI3UFlE4zSIGjcFlLJEJGX
> lA==
> =WxWn
> - -----END PGP PUBLIC KEY BLOCK-----
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.2 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE531x2mqjQ0CJFipgRAvzaAKDdiVZX3I5SN3L0CSpEhaITixpRswCbBnxv
> PgKoTzSNCJOqBl3XAvkW1kg=
> =vBxs
> -----END PGP SIGNATURE-----
>
----- End forwarded message -----
----- Forwarded message from [EMAIL PROTECTED] -----
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Date: Fri, 6 Oct 2000 18:01:00 -0400
> To: [EMAIL PROTECTED]
> Subject: [RHSA-2000:080-01] tmpwatch has a local denial of service and
> root exploit
>
> ---------------------------------------------------------------------
> Red Hat, Inc. Security Advisory
>
> Synopsis: tmpwatch has a local denial of service and root exploit
> Advisory ID: RHSA-2000:080-01
> Issue date: 2000-10-06
> Updated on: 2000-10-06
> Product: Red Hat Linux
> Keywords: tmpwatch, fuser, DoS, fork
> Cross references: N/A
> ---------------------------------------------------------------------
>
> 1. Topic:
>
> tmpwatch as shipped in Red Hat Linux 6.1, 6.2, and 7.0 uses fork() to
> recursively process subdirectories, enabling a local user to perform a
> denial of service attack. Tmpwatch from Red Hat Linux 6.2 and 7.0 also
> contains an option to allow it to use the fuser command to check for open
> files before removal. It executed fuser in an insecure fashion, allowing a
> local root exploit.
>
> 2. Relevant releases/architectures:
>
> Red Hat Linux 6.1 - i386, alpha, sparc
> Red Hat Linux 6.2 - i386, alpha, sparc
> Red Hat Linux 7.0 - i386
>
> 3. Problem description:
>
> The tmpwatch program periodically cleans up files in temporary directories
> by removing all files older than a certain age. In Red Hat Linux 6.1, 6.2,
> and 7.0, it used fork() to recursively process subdirectories. If a
> malicious user created many layers of subdirectories (thousands) in a
> temporary directory monitored by tmpwatch, the system process table would
> fill up, requiring a reboot.
>
> Additionally, tmpwatch in 6.2 and 7.0 contains an option, "--fuser", that
> attempts to user the fuser command to check if a file is in use before
> removal. However, it executed fuser with the system() call in an insecure
> fashion. A malicious user could construct an environment such that this
> provided them a local root shell. Tmpwatch now uses execle() to run fuser.
>
> 4. Solution:
>
> For each RPM for your particular architecture, run:
>
> rpm -Fvh [filename]
>
> where filename is the name of the RPM.
>
> 5. Bug IDs fixed (http://bugzilla.redhat.com/bugzilla for more info):
>
> 17286 - tmpwatch run from cron allows locale DoS.
>
>
> 6. RPMs required:
>
> Red Hat Linux 6.2:
>
> alpha:
> ftp://updates.redhat.com/6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
>
> sparc:
> ftp://updates.redhat.com/6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
>
> i386:
> ftp://updates.redhat.com/6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
>
> sources:
> ftp://updates.redhat.com/6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
>
> Red Hat Linux 7.0:
>
> i386:
> ftp://updates.redhat.com/7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
>
> sources:
> ftp://updates.redhat.com/7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
>
> 7. Verification:
>
> MD5 sum Package Name
> --------------------------------------------------------------------------
> b8a670944cc54fd39c9eefb79f147ec1 6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm
> 39fe4fbf666e5f9a40503134c05046d8 6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm
> 84609abc355fde23ce878e4d310766f8 6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm
> f4625e9bc27af011a614eaa146586917 6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm
> b1a9201c44a5f921209c9b648ba85ada 7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm
> 8acf394469c47a98fcc589dd0d73b98c 7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm
>
> These packages are GPG signed by Red Hat, Inc. for security. Our key
> is available at:
> http://www.redhat.com/corp/contact.html
>
> You can verify each package with the following command:
> rpm --checksig <filename>
>
> If you only wish to verify that each package has not been corrupted or
> tampered with, examine only the md5sum with the following command:
> rpm --checksig --nogpg <filename>
>
> 8. References:
>
> Thanks go to Internet Security System's X-Force team ([EMAIL PROTECTED]) for
> discovering and documenting the local root exploit.
>
>
> Copyright(c) 2000 Red Hat, Inc.
>
----- End forwarded message -----
----- Forwarded message from TSL Team <[EMAIL PROTECTED]> -----
> From: TSL Team <[EMAIL PROTECTED]>
> Reply-To: TSL Team <[EMAIL PROTECTED]>
> User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Arches)
> Date: Mon, 9 Oct 2000 14:00:07 +0200
> To: [EMAIL PROTECTED]
> Subject: Trustix Security Advisory - tmpwatch
>
> Hi
>
> All versions of Trustix Secure Linux have hitherto been shipped with a
> version of tmpwatch that can be tricked into excessive fork()ing filling
> up the process table, requiring the box to be rebooted. The version of
> tmpwatch can also, in certain cases, be tricked into giving local users
> a root shell.
>
> All users of TSL should upgrade to the new rpm:
> tmpwatch-2.6.2-1tr.i586.rpm (MD5sum: 3200b3812bfe6e87f326e240fed0686a)
>
> This file can be found at:
> http://www.trustix.net/download/Trustix/updates/1.1/RPMS/
> or
> ftp://ftp.trustix.com/pub/Trustix/updates/1.1/RPMS/
>
> Questions or comments? Feel free to ask us at [EMAIL PROTECTED]
>
> TSL Team
>
----- End forwarded message -----
----- Forwarded message from Caldera Support Info
<[EMAIL PROTECTED]> -----
> From: Caldera Support Info <[EMAIL PROTECTED]>
> Reply-To: Caldera Support Info <[EMAIL PROTECTED]>
> X-Mailer: Mutt 0.95.6us
> Date: Tue, 10 Oct 2000 15:57:19 -0600
> To: [EMAIL PROTECTED]
> Subject: Security Update: file view vulnerability in mod_rewrite
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> ______________________________________________________________________________
> Caldera Systems, Inc. Security Advisory
>
> Subject: file view vulnerability in mod_rewrite
> Advisory number: CSSA-2000-035.0
> Issue date: 2000 October, 10
> Cross reference:
> ______________________________________________________________________________
>
>
> 1. Problem Description
>
> The Apache HTTP server comes with a module named mod_rewrite
> which can be used to rewrite URLs presented by the client
> before further processing.
>
> The processing logic in mod_rewrite contains a flaw that allows
> attackers to view arbitrary files on the server system.
>
> In the default configuration shipped with OpenLinux, mod_rewrite
> is disabled.
>
> 2. Vulnerable Versions
>
> System Package
> -----------------------------------------------------------
> OpenLinux Desktop 2.3 All packages previous to
> apache-1.3.4-5
>
> OpenLinux eServer 2.3 All packages previous to
> and OpenLinux eBuilder apache-1.3.9-5S
>
> OpenLinux eDesktop 2.4 All packages previous to
> apache-1.3.11-2D
>
> 3. Solution
>
> Workaround:
>
> If you haven't enabled mod_rewrite, no action is required on
> your part. If you do use mod_rewrite, update to the fixed packages.
>
> 4. OpenLinux Desktop 2.3
>
> 4.1 Location of Fixed Packages
>
> The upgrade packages can be found on Caldera's FTP site at:
>
> ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/RPMS/
>
> The corresponding source code package can be found at:
>
> ftp://ftp.calderasystems.com/pub/updates/OpenLinux/2.3/current/SRPMS
>
> 4.2 Verification
>
> c01531115e05d0371db7b1ac83c85b3b RPMS/apache-1.3.4-5.i386.rpm
> 8403e4002988a610c8a0ee11e4b088b1 RPMS/apache-docs-1.3.4-5.i386.rpm
> 28a4dc488a42088c1761cbb210a26c9c SRPMS/apache-1.3.4-5.src.rpm
>
> 4.3 Installing Fixed Packages
>
> Upgrade the affected packages with the following commands:
>
> rpm -Fhv apache-*1.3.4-5.i386.rpm
>
> 5. OpenLinux eServer 2.3 and OpenLinux eBuilder for ECential 3.0
>
> 5.1 Location of Fixed Packages
>
> The upgrade packages can be found on Caldera's FTP site at:
>
> ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/RPMS/
>
> The corresponding source code package can be found at:
>
> ftp://ftp.calderasystems.com/pub/updates/eServer/2.3/current/SRPMS
>
> 5.2 Verification
>
> 45bd05d80b8c5ca5ef87da39de9c19dd RPMS/apache-1.3.9-5S.i386.rpm
> 0a2043799cdf207f5b797f027a1228a3 RPMS/apache-devel-1.3.9-5S.i386.rpm
> 7aa9d9789fb94600439752a72bb525fb RPMS/apache-docs-1.3.9-5S.i386.rpm
> 6305241c58b0185babe1582438aa62e9 SRPMS/apache-1.3.9-5S.src.rpm
>
> 5.3 Installing Fixed Packages
>
> Upgrade the affected packages with the following commands:
>
> rpm -Fhv apache-*1.3.9-5S.i386.rpm
>
> 6. OpenLinux eDesktop 2.4
>
> 6.1 Location of Fixed Packages
>
> The upgrade packages can be found on Caldera's FTP site at:
>
> ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/RPMS/
>
> The corresponding source code package can be found at:
>
> ftp://ftp.calderasystems.com/pub/updates/eDesktop/2.4/current/SRPMS
>
> 6.2 Verification
>
> c303c215facbe330fd454e502a50e798 RPMS/apache-1.3.11-2D.i386.rpm
> a173b7d14a0d0c1badf9e23c6ec3769e RPMS/apache-devel-1.3.11-2D.i386.rpm
> 3c92d84da29b69e8f4b665a17ce2328f RPMS/apache-docs-1.3.11-2D.i386.rpm
> e9c43b643cb040b97130dcfd3ee17b10 SRPMS/apache-1.3.11-2D.src.rpm
>
> 6.3 Installing Fixed Packages
>
> Upgrade the affected packages with the following commands:
>
> rpm -Fhv apache-*1.3.11-2D.i386.rpm
>
> 7. References
>
> This and other Caldera security resources are located at:
>
> http://www.calderasystems.com/support/security/index.html
>
> This security fix closes Caldera's internal Problem Report 7940.
>
> 8. Disclaimer
>
> Caldera Systems, Inc. is not responsible for the misuse of any of the
> information we provide on this website and/or through our security
> advisories. Our advisories are a service to our customers intended to
> promote secure installation and use of Caldera OpenLinux.
>
> ______________________________________________________________________________
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.1 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE54wIa18sy83A/qfwRAiBuAJ4m7PwHmpb75kGjgfRgW0b23zTQBACfdz0a
> TSR0QmfBRaIy7I3ZdjH2Blk=
> =ijRI
> -----END PGP SIGNATURE-----
>
----- End forwarded message -----
----- Forwarded message from Viktors Rotanovs <[EMAIL PROTECTED]> -----
> From: Viktors Rotanovs <[EMAIL PROTECTED]>
> Reply-To: Viktors Rotanovs <[EMAIL PROTECTED]>
> X-Mailer: KMail [version 1.1.94.2]
> Date: Thu, 12 Oct 2000 00:53:17 +0200
> To: [EMAIL PROTECTED]
> Subject: PHP security improved -- Fwd: [ANNOUNCE] PHP 4.0.3 released
>
> ---------- Forwarded Message ----------
> Subject: [ANNOUNCE] PHP 4.0.3 released
> Date: Thu, 12 Oct 2000 00:42:33 +0200
> From: Zeev Suraski <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED],
> [EMAIL PROTECTED]
>
>
> PHP 4.0.3 has been released. 4.0.3 is mostly a security-oriented
> maintenance release, therefore it's *strongly* recommended for all users of
> PHP to upgrade to it.
>
> Source:
> http://www.php.net/do_download.php?download_file=php-4.0.3.tar.gz
>
> Win32 binaries:
> http://www.php.net/do_download.php?download_file=php-4.0.3-Win32.zip
> You'd notice that the 4.0.3 Win32 distribution is beefed up with a lot of
> loadable modules. The extensive build is courtesy of Daniel Beulshausen -
> thanks!
>
> The full list of changes is enclosed.
>
> Zeev
>
>
> 11 Oct 2000, Version 4.0.3
> - Fixed a possible crash in -a interactive mode (Zeev, Zend Engine)
> - Added mysql_escape_string() (Peter A. Savitch and & Brian Wang)
> - Fixed many possible crash bugs with improper use of the printf() family of
> functions (Andi)
> - Fixed a problem that allowed users to override admin_value's and
> admin_flag's (Zeev)
> - Fixed PostgreSQL module to work when the link handle is omitted (Zeev)
> - Fixed returning of empty LOB fields in OCI8. (Thies)
> - Added Calendar module to default Win32 build (Andi)
> - Added FTP module to default Win32 build (Andi)
> - Fixed crash in the POSIX getrlimit() function ([EMAIL PROTECTED])
> - Fixed dirname() under certain conditions (Andi)
> - Added --with-imap-ssl to support SSL'ized imap library in RH7 and others
> (Rasmus)
> - Fixed possible crash bug in parse_url() (Andi)
> - Added support for trans sid under Win32 (Daniel)
> - IPv6 support in fopen (Stig Venaas)
> - Added the shmop extension. It allows more general ways of shared memory
> access. (thanks to Ilia Alshanestky <[EMAIL PROTECTED]> and Slava Poliakov
> <[EMAIL PROTECTED]> (Derick)
> - Added the ability for CURLOPT_POSTFIELDS to accept an associative array of
> HTTP POST variables and values. (Sterling)
> - Added the CURLOPT_HTTPHEADER option to curl_setopt(). (Sterling)
> - Added the curl_error() and curl_errno() functions. (Sterling)
> - Changed ext/db not to be enabled by default (Jani)
> - Fixed building Apache SAPI module on SCO UnixWare (Sascha)
> - Fixed writing empty session sets to shared memory ([EMAIL PROTECTED])
> - Added support for BSD/OS make (Sascha)
> - Added improved URL rewriter (Sascha)
> - Fixed readdir_r() use on Solaris (Sascha)
> - Improved HTTP headers for private-caching ([EMAIL PROTECTED], Sascha)
> - Added new function session_cache_limiter ([EMAIL PROTECTED], Sascha)
> - Added ftp_exec to the ftp functions (thanks to <[EMAIL PROTECTED]>)
> (Derick)
> - PEAR: add last executed query as debug info in DB errors (Stig)
> - PEAR: allow multiple modes in PEAR_Error (Stig)
> - Made the Sybase CT module thread safe (Zeev)
> - Added second argument to array_reverse() that indicatese whether
> the original array keys should be preserved. (Andrei)
> - Clean up htmlspecialchars/htmlentities inconsistencies. (Rasmus)
> - PEAR: renamed DB_GETMODE_* to DB_FETCHMODE_*, added setFetchMode()
> in DB_common to set the default mode, added some MySQL tests (Stig)
> - Made eval() and several other runtime-evaluated code portions report the
> nature and location of errors more accurately (Stas)
> - Added an optional parameter to wordwrap that cuts a string if the length of
> a word is longer than the maximum allowed. (Derick)
> - Added functions pg_put_line and pg_end_copy (Dirk Elmendorf)
> - Added second parameter for parse_str to save result (John Bafford)
> - Fixed bug with curl places extra data in the output. ([EMAIL PROTECTED])
> - Added the pathinfo() function. (Sterling)
> - Updated sybase_ct module and its sybase_query to use high performance API.
> (Joey)
> - Added a more configurable error reporting interface to DB. (Stig)
> - Added is_uploaded_file() and move_uploaded_file() (Zeev)
> - Added several directives to php.ini - post_max_size, file_uploads,
> display_startup_errors - see php.ini-dist for further information (Zeev)
> - Worked around a bug in the libc5 implementation of readdir() (Stas)
> - Fixed some potential OpenBSD and NetBSD crash bugs when opening files.
> (Andi) - Added EscapeShellArg() function (Rasmus)
> - Added a php.ini option session.use_trans_sid to enable/disable trans-sid.
> (Sterling)
> - Added the Sablotron extension for XSL parsing. (Sterling)
> - Fixed a bug in checkdate() which caused < 1 years to be valid (Jani)
> - Added support for an optional output handler function for output
> buffering. This enables transparent rendering of XML through XSL,
> transparent compression, etc. (Zeev)
> - Added support for user defined 'tick' callback functions. This helps
> emulate background processing. (Andrei)
> - Fixed problem with having $this as the XML parser object. (Andrei)
> - Internal opened_path variable now uses the Zend memory manager so that full
> paths of files won't leak on unclean shutdown (Andi)
> - Removed support of print $obj automatically calling the __string_value()
> method. Instead define yourself a method such as toString() and use
> print $obj->toString() (Andi, Zend Engine)
>
>
> --
> Zeev Suraski <[EMAIL PROTECTED]>
> http://www.zend.com/
>
>
> --
> PHP Announcements Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
> -------------------------------------------------------
>
> --
> Best Wishes,
> Viktors Rotanovs
> I create websites that attract more clients. http://riga.nu/
> Riga Latvia +371, Phone/Fax 7377-472, GSM 9173-000
>
----- End forwarded message -----
----- Forwarded message from Michal Zalewski <[EMAIL PROTECTED]> -----
> From: Michal Zalewski <[EMAIL PROTECTED]>
> Reply-To: Michal Zalewski <[EMAIL PROTECTED]>
> Date: Fri, 13 Oct 2000 03:42:47 +0200
> To: [EMAIL PROTECTED]
> Subject: another Xlib buffer overflow
>
> < I'm still looking for a good job: http://lcamtuf.hack.pl/job.html >
>
> [ Aleph, I have strange deja-vu I have seen similar hole reported to ]
> [ BUGTRAQ some time ago - but I've searched the archives and mailbox ]
> [ for anything related, and could not find it... so if I am blind, ]
> [ please bounce this message... :) ]
>
> Vulnerable object: XFree 3.3.x Xlib (no data on 4.0.x); no mention of fix
> in "security issues" page at www.xfree86.org.
>
> The problem is simple - you can invoke any executable linked against Xlib
> with -display command-line parameter or DISPLAY environment variable in
> the way which causes trivial stack overflow. This could happen, as before
> establishing unix socket connection, socket path containing user-supplied
> data is sprintf()ed to small buffer.
>
> You can overwrite both local variables and return address with limited set
> of characters (well, limited to digits ;), but I strongly believe it could
> be exploited with no difficulties by affecting only less significant bytes
> - partial address overwriting, partial variable overwriting - known
> techniques. Examining the stack and code shows us at least little endian
> machines are very likely to be vulnerable to successful exploitation.
>
> So, the impact is:
>
> DISPLAY=:`perl -e '{print "0"x128}'` any_privledged_X_application
> (or: any_privledged_X_application -display :...)
>
> Common X client applications are *term, games and several other programs
> that are setuid and linked against Xlib, whenever willing to access X
> server display.
>
> _______________________________________________________
> Michal Zalewski [[EMAIL PROTECTED]] [tp.internet/security]
> [http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
> =-----=> God is real, unless declared integer. <=-----=
>
----- End forwarded message -----
--------------------------------------------------------------------------
Utk berhenti langganan, kirim email ke [EMAIL PROTECTED]
Informasi arsip di http://www.linux.or.id/milis.php3
Pengelola dapat dihubungi lewat [EMAIL PROTECTED]
