[gull-annonces] Résumé SecurityFocus Newsletter #307

Marc SCHAEFER schaefer at alphanet.ch
Sun Jul 24 09:46:41 CEST 2005 

Linux Kernel IA32 execve() Local Buffer Overflow Vulnerability
BugTraq ID: 14205
Remote: No
Date Published: 2005-07-11
Relevant URL: http://www.securityfocus.com/bid/14205
Summary:
The Linux kernel is susceptible to a local buffer overflow vulnerability. 
This issue is due to a race condition in an ia32 emulation system call that 
leads to a memory copy operation that overflows a previously allocated 
memory buffer.

During the time between two function calls to obtain buffer sizes, there 
exists a window of opportunity for attackers to alter memory contents. This 
race condition allows local attackers to overwrite critical kernel memory, 
facilitating kernel-level machine code execution and privilege escalation.

On multiprocessor computers, attackers can directly alter the memory 
contents to exploit this race condition. On uniprocessor computers, a 
blocking function call allows attackers to exploit the race condition.

Versions of Linux 2.4 prior to 2.4.32-pre1, and Linux 2.4, prior to 2.6.7 
are susceptible to this issue.

This vulnerability only affects computers running on either the ia64, or the 
amd64 hardware platforms with ia32 emulation enabled.

dhcpcd Remote Denial of Service Vulnerability
BugTraq ID: 14206
Remote: Yes
Date Published: 2005-07-11
Relevant URL: http://www.securityfocus.com/bid/14206
Summary:
dhcpcd is prone to a remote denial of service vulnerability.

The issue presents itself when the application handles malformed data and 
accesses out of bounds memory.

dhcpcd 1.3.22pl4 is reported to be affected.  It is possible that older 
versions are vulnerable as well.

Backup Manager Insecure Temporary File Creation Vulnerability
BugTraq ID: 14210
Remote: No
Date Published: 2005-07-11
Relevant URL: http://www.securityfocus.com/bid/14210
Summary:
Backup Manager is affected by an insecure temporary file creation 
vulnerability.

The issue arises when a user burns a CDR.  This issue may allow an attacker 
to create a malicious symbolic link that will be written to by the 
vulnerable utility when an unsuspecting user executes it.

Backup Manager versions prior to 0.5.8b are affected.

SGI ArrayD arshell Remote Privilege Escalation Vulnerability
BugTraq ID: 14218
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14218
Summary:
SGI arshell is susceptible to a remote unspecified privilege escalation 
vulnerability.

In certain unspecified circumstances, users executing arshell may be able to 
execute commands on remote array computers with superuser privileges.

This vulnerability allows attackers to gain superuser privileges on any 
computer in an array or cluster.

Further details are not currently available. This BID will be updated as 
more information is disclosed.

[ ici array == cluster de calcul p.ex. ]

xpvm Insecure Temporary File Creation Vulnerability
BugTraq ID: 14228
Remote: No
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14228
Summary:
xpvm creates temporary files in an insecure manner.

A local attacker would most likely take advantage of this vulnerability by 
creating a malicious symbolic link in a directory where the temporary files 
will be created. When the program attempts to perform an operation on a 
temporary file, it will instead perform the operation on the file pointed to 
by the malicious symbolic link.

Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack.  Other attacks may be 
possible as well.

Nokia Affix BTFTP Client Filename Remote Buffer Overflow Vulnerability
BugTraq ID: 14230
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14230
Summary:
The Nokia Affix btftp client software is prone to a remote client-side 
buffer overflow vulnerability. The issue exists due to a lack of sufficient 
boundary checks that are performed on filename data before this data is 
copied into a finite memory buffer.

This issue may be exploited by an attacker that is under control of an OBEX 
File Transfer server, to execute arbitrary code in the context of the 
affected clients that connect to the malicious server, and request a 
directory listing.

Nokia Affix BTSRV/BTOBEX Remote Command Execution Vulnerability
BugTraq ID: 14232
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14232
Summary:
Nokia Affix btsrv/btobex are reported prone to a remote command execution 
vulnerability. The issue exists due to a lack of input sanitization that is 
performed before using attacker-controlled data in a 'system()' call.

Because the affected services run with superuser privileges, this issue may 
be exploited to fully compromise a target computer that is running the 
affected software.

Linux-HA heartbeat Insecure Temporary File Creation Vulnerability
BugTraq ID: 14233
Remote: No
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14233
Summary:
heartbeat creates temporary files in an insecure manner.

A local attacker would most likely take advantage of this vulnerability by 
creating a malicious symbolic link in a directory where the temporary files 
will be created. When the program attempts to perform an operation on a 
temporary file, it will instead perform the operation on the file pointed to 
by the malicious symbolic link.

Exploitation would most likely result in loss of data or a denial of service 
if critical files are overwritten in the attack. Other attacks may be 
possible as well.

MIT Kerberos 5 Key Distribution Center Remote Single Byte Heap Overflow 
Vulnerability
BugTraq ID: 14236
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14236
Summary:
The Kerberos 5 Key Distribution Center (KDC) implementation is affected by a 
remote single-byte heap overflow vulnerability.

A remote unauthenticated attacker can exploit this vulnerability by sending 
malformed data through a request over TCP or UDP to an affected computer.  
This may result in memory corruption and lead to an overflow condition.

If arbitrary code execution occurs, the attacker may gain complete access to 
an entire Kerberos realm.

All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable.  
Third party application servers employing Kerberos 5 may be affected as well.

MIT Kerberos 5 KRB5_Recvauth Remote Pre-Authentication Double-Free 
Vulnerability
BugTraq ID: 14239
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14239
Summary:
MIT Kerberos 5 is prone to a remote double-free vulnerability; the issue can 
be triggered by remote attackers prior to any authentication whatsoever. The 
issue exists in the 'revcauth_common()' helper function.

A remote attacker may trigger this issue prior to authentication. Because of 
the code path taken in the vulnerable function, exploitation may be 
hindered. However, it is conjectured that this issue may be ultimately 
leveraged to execute arbitrary code in the context of the affected service.

It should be noted that successful exploitation of this issue on a Kerberos 
Key Distribution Center (KDC) computer, may result in the compromise of an 
entire Kerberos realm.

MIT Kerberos 5 Key Distribution Center Remote Denial of Service 
Vulnerability
BugTraq ID: 14240
Remote: Yes
Date Published: 2005-07-12
Relevant URL: http://www.securityfocus.com/bid/14240
Summary:
The Kerberos 5 Key Distribution Center (KDC) implementation is affected by a 
remote denial of service vulnerability.  This issue arises because the 
application attempts to free uninitialized memory at a random address when 
handling a remote request over TCP.

Specifically, the vulnerability arises when the application handles a 
principle name consisting of zero components.

All MIT Kerberos 5 releases up to and including krb5-1.4.1 are vulnerable. 
Third party application servers employing Kerberos 5 may be affected as well.

Mozilla Suite, Firefox And Thunderbird Multiple Vulnerabilities
BugTraq ID: 14242
Remote: Yes
Date Published: 2005-07-13
Relevant URL: http://www.securityfocus.com/bid/14242
Summary:
The Mozilla Foundation has released 12 security advisories specifying 
security vulnerabilities in Mozilla Suite, Firefox, and Thunderbird.

These vulnerabilities allow attackers to execute arbitrary machine code in 
the context of the vulnerable application, bypass security checks, execute 
script code in the context of targeted Web sites to disclose confidential 
information; other attacks are also possible.

These vulnerabilities have been addressed in Firefox version 1.0.5, Mozilla 
Suite 1.7.9. Mozilla Thunderbird has not been fixed at this time.

The issues described here will be split into individual BIDs as further 
analysis is completed. This BID will then be retired.

Reportedly, Netscape is also vulnerable to the issue described in MFSA 
2005-47. Due to the nature of Netscape's fork from the Mozilla codebase, it 
is likely that Netscape is also affected by most, or all of the issues that 
affect Mozilla Firefox. This has not been confirmed at this time.

Easy Software Products CUPS Access Control List Bypass Vulnerability
BugTraq ID: 14265
Remote: Yes
Date Published: 2005-07-14
Relevant URL: http://www.securityfocus.com/bid/14265
Summary:
CUPS is susceptible to an ACL (Access Control List) bypass vulnerability. 
This issue is due to a failure of the application to properly apply ACLs to 
incoming print jobs.

This vulnerability allows attackers to bypass configured ACLs, allowing them 
to print jobs on printers, skipping any configured authentication checks or 
IP restrictions.

More information about the gull-annonces mailing list