[linux-leman-annonces] Résumé SecurityFocus Newsletter #192

Marc SCHAEFER schaefer at alphanet.ch
Wed Apr 16 11:08:33 CEST 2003 

Buffalo WBRG54 Wireless Broadband Router Denial Of Service Vulnerability
BugTraq ID: 7282
Remote: Yes
Date Published: Apr 04 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7282
Summary:

Buffalo Wireless Broadband Router WBRG54 is a network device for wireless
networks.

A vulnerability has been reported for the WBRG54 device that may result in
a denial of service. It should be noted that the device must be set to
'peer-to-peer' connection mode if exploitation is to be possible. This
mode allows for two devices to specifically communicate with each other.
The vulnerability occurs when a vulnerable device receives numerous ICMP
packets.

An attacker can exploit this vulnerability by sending ICMP (type 8)
packets to a vulnerable device. In some cases, this will result in the
device behaving unpredictably and denying service.

This vulnerability may also result in the device rebooting spontaneously.

The problem was reported for the WBRG54 with firmware revisions 1.11 and
1.13. Other versions may also be affected.

[ hardware ]

CVSps Unfiltered Escape Sequence Vulnerability
BugTraq ID: 7288
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7288
Summary:

CVSps is a program to generate a diff/patch set for CVS repositories. It
is available for Linux and Unix variant operating systems.

A vulnerability has been reported for CVSps where some characters were
improperly filtered prior to sending them to the command shell.
Specifically, escape sequences are not properly filtered from filenames
when generating a diff/patch set.

This issue can be exploited by a malicious CVS contributor who names a
file with malicious escape and shell metacharacters. When CVSps is used to
process the malicious file, it may be possible to execute commands on the
underlying shell of the host.

This vulnerability was reported for CVSps 2.0b9 and earlier.

Interbase External Table File Verification Vulnerability
BugTraq ID: 7291
Remote: Yes
Date Published: Apr 05 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7291
Summary:

Interbase is a database distributed and maintained by Borland. It is
available for Unix and Linux operating systems.

A vulnerability has been reported for Interbase that may result in the
corruption of arbitrary system files. The vulnerability exists due to
insufficient checks performed when creating or manipulating external
databases. Specifically, file existence checks are not made.

An attacker can exploit this vulnerability by creating an external table
pointing to an arbitrary system file. When the attacker attempts to modify
the external table, the system file will be corrupted with
attacker-supplied information. This may result in system instability.

This vulnerability is further exacerbated by the fact that the Interbase
service typically runs with root or SYSTEM level privileges.

Firebird is based on Borland/Inprise Interbase source code and is
therefore also prone to this issue.

 Metrics Insecure Local File Creation Vulnerability
BugTraq ID: 7293
Remote: No
Date Published: Apr 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7293
Summary:

Metrics is an application designed to measure various software metrics. It
is available for the Linux operating system and is included with the
Debian 2.2 distribution.

A vulnerability has been discovered in Metrics which could allow an
attacker to corrupt sensitive system files. The problem occurs in the
'halstead' and 'gather_stats' scripts, included in the Metrics package.

The vulnerability exists due to the two scripts failing to carry out
sufficient security precautions when attempting to create temporary files.
As a result, it may be possible for a malicious local user to corrupt
sensitive system files.

This vulnerability was discovered in Metrics version 1.0 however, earlier
versions may also be affected.

Samba 'call_trans2open' Remote Buffer Overflow Vulnerability
BugTraq ID: 7294
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7294
Summary:

Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.

A buffer overflow vulnerability has been reported for Samba that could
allow an anonymous remote attacker to execute arbitrary code.

The vulnerability occurs in the 'call_trans2open()' function when copying
data into a 1024 byte static buffer.  Sufficient bounds checking is not
performed when a call to the 'Strncpy()' function is invoked.  The length
argument supplied to 'Strncpy()' is exactly the length of the
user-supplied data.  As a result, an attacker could exploit this
vulnerability by sending data in excess of 1024 bytes.

Successful exploitation of this vulnerability could allow an anonymous
attacker to overwrite sensitive stack variables, including the
'open_trans2open()' functions' saved return address. The ability to
influence sensitive memory could be leveraged by the attacker to execute
arbitrary code with the privileges of the Samba server process.

Samba Multiple Unspecified Remote Buffer Overflow Vulnerabilities
BugTraq ID: 7295
Remote: Yes
Date Published: Apr 07 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7295
Summary:

Samba is a freely available file and printer sharing application
maintained and developed by the Samba Development Team. Samba allows file
and printer sharing between operating systems on the Unix and Microsoft
platforms. The Samba daemon is typically run with super user privileges.

Multiple remote buffer overflow vulnerabilities have been reported for
Samba and Samba-TNG. The overflows are reported to occur in both stack and
heap-based memory. This issue occurs due to insufficient bounds checking
when copying user-supplied data to internal buffers.

Although it has not been confirmed, it is likely that these issues can be
exploited to execute arbitrary code, with the privileges of Samba (which
typically runs as root).

These issues are reported to affect Samba 2.2.8 and Samba-TNG 0.3.1.

The precise technical details regarding these vulnerabilities is currently
unknown. This BID will be updated as further information is made
available.

It should be noted that these vulnerabilities may be similar to the issue
described in BID 7294.

Amavis Header Parsing Mail Relaying Weakness
BugTraq ID: 7306
Remote: Yes
Date Published: Apr 08 2003 12:00AM
Relevant URL:
http://www.securityfocus.com/bid/7306
Summary:

Amavis is a freely available, open source virus scanning software package.
It is available for the UNIX and Linux operating systems.

A problem with the software may make it possible to perform unauthorized
actions in vulnerable configurations.

It has been reported that some versions of Amavis-ng do not properly
interact with Postfix.  Because of this, an attacker may be able to
circumvent relay restrictions.

The problem is in the handling of headers.  Due to improper e-mail header
processing, Amavis may send e-mails to addresses specified in a To: field
in the message body rather than the RCPT TO: field specified via SMTP.
This could make it possible to relay e-mails through some configurations.

Autres problèmes:
   - client SETI (sauf erreur propriétaire sans source)
   - scripts PHP usuels

More information about the gull-annonces mailing list