[gull-annonces] Résumé SecurityFocus Newsletter #250

Marc SCHAEFER schaefer at alphanet.ch
Wed May 26 12:01:02 CEST 2004 

Rappel des règles:

   - uniquement logiciel libre (sens DFSG)
   - clients IRC, chat, réseaux d'échanges, PHP, etc exclus
   - le matériel est en général traité (firmware) même si propriétaire

SecurityFocus rend mon travail de plus en plus difficile en ne donnant
plus les licences approximatives des logiciels, ni leur plateforme
et bien souvent une description incomplète voire fausse du logiciel
concerné.

Apache mod_ssl Stack Buffer Overflow
BugTraq ID: 10355
Remote: Yes
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10355
Summary:
A stack-based buffer overflow has been reported in the Apache mod_ssl
module. This issue is exposed in utility code for uuencoding binary data.

This issue would most likely result in a denial of service if
triggered, but could theoretically allow for execution of arbitrary
code.  The issue is not believed to be exploitable to execute
arbitrary code on x86 architectures, though this may not be the case
with other architectures.

KDE Multiple URI Handler Vulnerabilities
BugTraq ID: 10358
Remote: Yes
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10358
Summary:
It has been reported that KDE is prone to multiple input validation
vulnerabilities in various URI handlers.  The issues are reported to
exist due to insufficient sanitization of user-supplied input by the
telnet, rlogin, ssh and mailto URI handlers.  Specifically, if a '-'
character is present at the beginning of a host name, options may be
passed to the programs to carry out an attack.

GNU libtasn1 Undisclosed Vulnerability
BugTraq ID: 10360
Remote: Yes
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10360
Summary:
GNU libtasn1 has been reported prone to an undisclosed
vulnerability. The issue is reported to present itself in the DER
parsing functions of libtasn1.

This BID will be updated as soon as further information regarding this vulnerability becomes available.

Libtasn1 versions prior to 0.1.2 and 0.2.7 are reported prone to this
vulnerability.

[ Le parsing ASN1 est utilisé notamment dans tout ce qui touche aux
  protocoles ISO comme SNMP, etc. ]

wget Insecure File Creation Race Condition Vulnerability
BugTraq ID: 10361
Remote: No
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10361
Summary:
wget has been reported prone to a race condition vulnerability. The
issue exists because wget does not lock files that it creates and
writes to during file downloads.

A local attacker may exploit this condition to corrupt files with the
privileges of the victim who is running the vulnerable version of
wget.

[ En fait, ceci n'est pas une vulnérabilité au sens usuel. wget incorpore
  un système qui permet, si le fichier existe déjà, de reprendre (-c) ou
  de créer un nouveau fichier (.1, .2, .3, etc). Mais bien sûr si entre le
  test et le transfert il y a création d'un fichier ou d'un répertoire
  portant ce nom, il y aura écrasement ou erreur. Sous /tmp, on peut imaginer
  un exploit basé sur des symlinks, mais le problème des répertoires partagés
  n'est pas nouveau. En bref, si vous écrivez des scripts utilisant wget,
  transférez les données sous ~ (ou mieux, sous un répertoire spécial
  chmod 700 ~/tmp, ou créez un répertoire sous /tmp, genre
  umask 077 && mkdir /tmp/blabla_$$ && cd /tmp/blabla_$$ || fail "error"
]

libuser Multiple Unspecified Vulnerabilities
BugTraq ID: 10368
Remote: Yes
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10368
Summary:
libuser implements a standardized interface for manipulating and
administering user and group accounts one Unix systems.

It has been reported that several vulnerabilities exist in this
library. Attackers could possibly crash applications that are linked
to this library, or possibly cause the applications to write 4GB files
containing garbage to disk.

These issues could possibly lead to a denial of service condition,
causing legitimate users to be unable to access resources.

Mandrake Linux passwd Potential Vulnerabilities
BugTraq ID: 10370
Remote: Unknown
Date Published: May 17 2004
Relevant URL: http://www.securityfocus.com/bid/10370
Summary:
Two potential security issues reportedly affect the implementation of
passwd included with Mandrake Linux, according to Mandrake advisory
MDKSA-2004:045.  According to the report, passwords supplied to passwd
via stdin are incorrectly one character shorter than they should be.
It is not known whether this behavior occurs at the interactive prompt
or if the implementation allows for passwords to be "piped" to passwd
through stdin.  This may or may not have security implications as the
user's password will not be stored correctly and the user will not be
able to login.  It is conceivable that this could result in a less
secure password.  The second issue reported by Mandrake is that PAM
may not be initialized correctly and "safe and proper" operation may
not be ensured.  Further technical details are not known.

Blue Coat Systems SGOS Private Key Disclosure Vulnerability
BugTraq ID: 10371
Remote: Yes
Date Published: May 18 2004
Relevant URL: http://www.securityfocus.com/bid/10371
Summary:
Blue Coat Systems Security Gateway OS (SGOS) 3.x devices are prone to
a vulnerability that could cause the private encryption key to be
disclosed to unauthorized parties.

The issue reportedly occurs when the private key is imported through
the web-based administrative interface.  This will cause the private
key and passphrase to logged in plaintext, potentially exposing this
issue to other local users.

It is also reported that certain administrative actions or
configurations could also expose this information to other
unauthorized parties, though specific details have not been publicized
at this time.

[ hardware/firmware ]

Secure Computing Sidewinder G2 Multiple Unspecified Denial O...
BugTraq ID: 10373
Remote: Yes
Date Published: May 18 2004
Relevant URL: http://www.securityfocus.com/bid/10373
Summary:
It has been reported that the Sidewinder G2 is prone to multiple
unspecified denial of service vulnerabilities.

The T.120, RTSP and SMTP proxies, and the mail filter all have been
reported to contain denial of service vulnerabilities.

These vulnerabilities could be exploited by a remote attacker to deny
service to legitimate users.

[ hardware/firmware ]

Multiple Perl Implementation System Function Call Buffer Ove...
BugTraq ID: 10375
Remote: Yes
Date Published: May 18 2004
Relevant URL: http://www.securityfocus.com/bid/10375
Summary:
ActiveState Perl and Perl for cygwin are both reported to be prone to
a buffer overflow vulnerability.

The issue is reported to exist due to a lack of sufficient bounds
checking that is performed on data that is passed to a Perl system()
function call. This vulnerability may permit an attacker to influence
execution flow of a vulnerable Perl script to ultimately execute
arbitrary code. Arbitrary code execution will occur in the context of
the user who is running the malicious Perl script.

[ ne concerne pas POSIX; de plus il est certain que les paramètres de
  system() ne devraient pas être contrôlables par autre chose que le
  script lui-même.
]

Multiple Perl Implementation Duplication Operator Integer Ov...
BugTraq ID: 10380
Remote: Yes
Date Published: May 18 2004
Relevant URL: http://www.securityfocus.com/bid/10380
Summary:

ActiveState Perl is reported to be prone to an integer overflow
vulnerability. It is revealed through testing that other
implementations are also vulnerable.

The issue is reported to exist due to a lack of sufficient bounds
checking that is performed on multiplier data that is passed to a Perl
duplicator statement. This vulnerability may permit an attacker to
influence execution flow of a vulnerable Perl script to ultimately
execute arbitrary code. Failed exploit attempts will result in a
denial of service.

[ non POSIX uniquement ]

KDE Konqueror Embedded Image URI Obfuscation Weakness
BugTraq ID: 10383
Remote: Yes
Date Published: May 18 2004
Relevant URL: http://www.securityfocus.com/bid/10383
Summary:
It is reported that KDE Konqueror is prone to a URI obfuscation
weakness that may hide the true contents of a URI link. The issue
occurs when an image is contained within a properly formatted HREF
tag.

This weakness could be employed to trick a user into following a
malicious link.

An attacker can exploit this issue by supplying a malicious image that
appears to be a URI link pointing to a page designed to mimic that of
a trusted site. If an unsuspecting victim is to mouseover the link in
an attempt to verify the authenticity of where it references, they may
be deceived into believing that the link references the actual trusted
site.

CVS Malformed Entry Modified and Unchanged Flag Insertion He...
BugTraq ID: 10384
Remote: Yes
Date Published: May 19 2004
Relevant URL: http://www.securityfocus.com/bid/10384
Summary:
CVS is prone to a remote heap overflow vulnerability.  This issue
presents itself during the handling of user-supplied input for entry
lines with 'modified' and 'unchanged' flags.  This vulnerability can
allow an attacker to overflow a vulnerable buffer on the heap,
possibly leading to arbitrary code execution.

CVS versions 1.11.15 and prior and CVS feature versions 1.12.7 and
prior are prone to this issue.

[ attaque grave en particulier si le pserver est actif, encore que
peut-être un accès écriture au CVS est nécessaire, pas très clair
]

Neon WebDAV Client Library ne_rfc1036_parse Function Heap Ov...
BugTraq ID: 10385
Remote: Yes
Date Published: May 19 2004
Relevant URL: http://www.securityfocus.com/bid/10385
Summary:
Neon WebDAV client library is prone to a heap overflow vulnerability.
This issue exists due to improper boundary checks performed on
user-supplied data.  Reportedly a malformed string value may cause a
sscanf() string overflow into static heap variables.

Neon 0.24.5 and prior are prone to this issue.

Subversion Date Parsing Function Buffer Overflow Vulnerabili...
BugTraq ID: 10386
Remote: Yes
Date Published: May 19 2004
Relevant URL: http://www.securityfocus.com/bid/10386
Summary:
Subversion is prone to a buffer overflow vulnerability.  This issue
exists in one of the data parsing functions of the application.
Specifically, Subversion calls an sscanf() function when converting
data strings to different formats.  This causes user-supplied data to
be copied into an unspecified buffer without proper boundary checks
performed by the application.

Subversion versions 1.0.2 and prior are prone to this issue.

F5 BIG-IP Syncookie Denial Of Service Vulnerability
BugTraq ID: 10388
Remote: Yes
Date Published: May 19 2004
Relevant URL: http://www.securityfocus.com/bid/10388
Summary:
It has been reported that the switch is susceptible to a denial of
service condition, whereby a remote attacker is able to panic the
kernel. Once the kernel is in a panic condition, the switch is
rendered completely incapacitated, denying access to legitimate users.

The fault lies in a race condition in the syncookie evaluation code. A
remote attacker could exploit this vulnerability by simple SYN
flooding an affected switch. These switches are designed to add
reliability to network applications, this could be a significant
denial of service.

The vulnerability functionality was included in version 4.5.  Versions
prior to 4.5 are not vulnerable to the issue.

[ firmware ]

vsftpd Listener Denial of Service Vulnerability
BugTraq ID: 10394
Remote: Yes
Date Published: May 21 2004
Relevant URL: http://www.securityfocus.com/bid/10394
Summary:
According to the vendor, vsftpd is prone to a denial of service
condition in the connection handling code. vsftpd's listener process
can become unstable under extreme loads, denying service to legitimate
users.

The issue apparently arises from reentering malloc and free, possibly
corrupting memory. Vsftpd calls non-reentrant functions
inappropriately, thus leading to a denial of service vulnerability.

[ problème peut-être dû au multithread, méthode programmatique qui
  augmente la complexité et l'inter-vulnérabilité ]

UCD-SNMPD Command Line Parsing Local Buffer Overflow Vulnera...
BugTraq ID: 10396
Remote: No
Date Published: May 21 2004
Relevant URL: http://www.securityfocus.com/bid/10396
Summary:
It is reported that the UCD-SNMP 'snmpd' daemon is prone to a command
line parsing buffer overflow vulnerability.  This issue is due to a
failure of the application to properly validate the size of
user-supplied argument strings before copying them into a finite
buffer. This issue may permit a local attacker to influence execution
flow of the affected snmpd daemon, and ultimately execute arbitrary
instructions in the context of the process.

This vulnerability is reported to affect UCD-SNMP versions up to an
including version 4.2.6.

More information about the gull-annonces mailing list