Summary of Security Items from October 12 through October 18, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Windows Microsoft Distribution Transaction Coordinator (MSDTC) and COM+
A buffer overflow vulnerability has been reported in Windows MSDTC and COM+ that could let local or remote malicious users execute arbitrary code, obtain elevated privileges or cause a Denial of Service.
A vulnerability has been reported due to the insecure creation of several temporary files in the default configuration, which could let a remote malicious overwrite arbitrary files.
No workaround or patch available at time of publishing.
There is no exploit code required.
Flexbackup Insecure Temporary File Creation
Medium
ZATAZ Flexbackup Advisory, October 15, 2005
Gentoo Linux
Gentoo Linux
Vulnerabilities have been reported in multiple packages in Gentoo Linux due to an insecure RUNPATH vulnerability, which could let a malicious user obtain elevated privileges.
Gentoo Linux Security Advisory, GLSA 200510-14, October 17, 2005
GNU
gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5
A Directory Traversal vulnerability has been reported due to an input validation error when using 'gunzip' to extract a file with the '-N' flag, which could let a remote malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory,
TSLSA-2005-0018,
May 6, 2005
Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005
Security Focus,13290, May 11, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005
Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005
FreeBSD
Security Advisory, FreeBSD-SA-05:11, June 9, 2005
OpenPKG Security Advisory, OpenPKG-SA-2005.009, June 10, 2005
RedHat Security Advisory,
RHSA-2005:357-19, June 13, 2005
SGI Security Advisory, 20050603-01-U, June 23, 2005
Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005
Debian Security Advisory DSA 752-1, July 11, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, July 20, 2005
Avaya Security Advisory, ASA-2005-172, August 29, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, Updated September 27, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, Updated October 13, 2005
GNU
Texinfo 4.7
A vulnerability has been reported in 'textindex.c' due to insecure creation of temporary files by the 'sort_offline()' function, which could let a malicious user create/ overwrite arbitrary files.
Security Focus, Bugtraq ID: 14854, September 15, 2005
Gentoo Linux Security Advisory, GLSA 200510-04, October 5, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:175, October 6, 2005
Ubuntu Security Notice, USN-194-1, October 06, 2005
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
GNU
gzip 1.2.4, 1.3.3
A vulnerability has been reported when an archive is extracted into a world or group writeable directory, which could let a malicious user modify file permissions.
Trustix Secure Linux Security Advisory,
TSLSA-2005-0018,
May 6, 2005
Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:092,
May 19, 2005
Turbolinux Security Advisory, TLSA-2005-59, June 1, 2005
FreeBSD Security Advisory, FreeBSD-SA-05:11, June 9, 2005
RedHat Security Advisory,
RHSA-2005:357-19, June 13, 2005
SGI Security Advisory, 20050603-01-U, June 23, 2005
Conectiva Linux Announce-ment, CLSA-2005:974, July 6, 2005
Debian Security Advisory DSA 752-1, July 11, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, July 20, 2005
Avaya Security Advisory, ASA-2005-172, August 29, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, Updated September 27, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101816, Updated October 13, 2005
Graphviz
Graphviz 2.2.1
A vulnerability has been reported in '/dotty/dotty/
dotty.lefty' due to the insecure creation of temporary files, which could let a malicious user overwrite arbitrary files.
Debian Security Advisory, DSA 857-1, October 10, 2005
Ubuntu Security Notice, USN-208-1, October 17, 2005
Grip
Grip 3.1.2, 3.2 .0
A buffer overflow vulnerability has been reported in the CDDB protocol due to a boundary error, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code.
Fedora Update Notifications,
FEDORA-2005-
202 & 203,
March 9, 2005
Gentoo Linux
Security Advisory,
GLSA 200503-21,
March 17, 2005
RedHat Security Advisory, RHSA-2005:304-08,
March 28, 2005
Mandrakelinux Security Update Advisory,
MDKSA-2005:066,
April 3, 2005
Gentoo Linux Security Advisory, GLSA 200504-07, April 8, 2005
SUSE Security Summary Report, SUSE-SR:2005:010, April 8, 2005
Mandriva Linux Security Update Advisories, MDKSA-2005:074 & 075, April 21, 2005
Peachtree Linux Security Notice, PLSN-0007, April 22, 2005
Fedora Legacy Update Advisory, FLSA:152919, September 15, 2005
Conectiva Linux Announcement, CLSA-2005:1033, October 13, 2005
Hewlett Packard Company
HP-UX 11.23, B.11.23
A Denial of Service vulnerability has been reported in systems running on Itanium platforms due to a failure to properly handle exceptional conditions.
Currently we are not aware of any exploits for this vulnerability.
HP-UX Itanium Denial of Service
Low
HP Security Bulletin, HPSBUX01233, October 12, 2005
Hewlett Packard Company
HP-UX 10.20, B.11.11, B.11.00
A vulnerability has been reported in the FTP server included with HP-UX , which could let an unauthenticated malicious user obtain sensitive information.
Reports indicate that HP has addressed this issue in HP advisory HPSBUX0208-213.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
HP-UX FTP Server Directory Listing
Medium
Security Focus, Bugtraq ID: 15138, October 19, 2005
Hewlett Packard Company
HP-UX 10.20, B.11.11, B.11.00
A vulnerability has been reported in the LPD service, which could let a remote malicious user execute arbitrary commands.
Reports indicate that HP has addressed this issue in HP advisory HPSBUX0208-213.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
HP-UX LPD Arbitrary Command Execution
High
Security Focus, Bugtraq ID: 15136, October 19, 2005
Hylafax
Hylafax 4.2.1
Several vulnerabilities have been reported: a vulnerability was reported in the 'xferfaxstats' script due to the insecure creation of temporary files, which could let a remote malicious user create/
overwrite arbitrary files; and a vulnerability was reported because ownership of the UNIX domain socket is not created or verified, which could let a malicious user obtain sensitive information and cause a Denial of Service.
Security Focus, Bugtraq ID: 14907, September 22, 2005
Gentoo Linux Security Advisory, GLSA 200509-21, September 30, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:177, October 7, 2005
Debian Security Advisory, DSA 865-1, October 13, 2005
IBM
AIX 5.3
Buffer overflow vulnerabilities have been reported in the 'invscout,' 'paginit,' 'diagTasksWebSM,' 'getlvname,' and 'swcons' commands and multiple 'p' commands, which could let a malicious user execute arbitrary code, potentially with root privileges.
IBM has released an advisory (IBM-06-10-2005) to address this and other issues.
Updated APAR availability information. Removed interim fix information.
IBM Security Advisory, IBM-06-10-2005, June 10, 2005
Security Focus, 13909, July 7, 2005
IBM Security Advisory, September 13, 2005
IBM Security Advisory Updated October 19, 2005
IBM
AIX 5.2.2, 5.2 L, 5.2
A vulnerability has been reported because AIX 'lscfg' command creates temporary trace files in an unsafe manner, which could let a malicious user obtain elevated privileges.
Security Focus, Bugtraq ID: 15060, October 11, 2005
Ubuntu Security Notice, USN-202-1, October 12, 2005
Gentoo Linux Security Advisory, GLSA 200510-12, October 12, 2005
Ubuntu Security Notice, USN-202-1, October 12, 2005
Marc Lehmann
Convert-UUlib 1.50
A buffer overflow vulnerability has been reported in the Convert::UUlib module for Perl due to a boundary error, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported in OpenLDAP, 'pam_ldap,' and 'nss_ldap' when a connection to a slave is established using TLS and the client is referred to a master, which could let a remote malicious user obtain sensitive information.
Several vulnerabilities have been reported: a vulnerability was reported in '/bin/cfmailfilter' and '/contrib/cfcron.in' due to the insecure creation of temporary files, which could let a remote malicious user create/
overwrite arbitrary files; and a vulnerability was reported in 'contrib/vicf.in/ due to the insecure creation of temporary files, which could let a remote malicious user create/
overwrite arbitrary files.
Debian Security Advisories, DSA 835-1 & 836-1, October 1, 2005
Ubuntu Security Notice, USN-198-1, October 10, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:184, October 13, 2005
Multiple Vendors
zlib 1.2.2, 1.2.1, 1.2 .0.7, 1.1-1.1.4, 1.0-1.0.9; Ubuntu Linux 5.0 4, powerpc, i386, amd64, 4.1 ppc, ia64, ia32; SuSE Open-Enterprise-Server 9.0, Novell Linux Desktop 9.0, Linux Professional 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Personal 9.3, x86_64, 9.2, x86_64, 9.1, x86_64, Linux Enterprise Server 9; Gentoo Linux;
FreeBSD 5.4, -RELENG, -RELEASE, -PRERELEASE, 5.3, -STABLE, -RELENG, -RELEASE;
Debian Linux 3.1, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; zsync 0.4, 0.3-0.3.3, 0.2-0.2.3 , 0.1-0.1.6 1, 0.0.1-0.0.6
A buffer overflow vulnerability has been reported due to insufficient validation of input data prior to utilizing it in a memory copy operation, which could let a remote malicious user execute arbitrary code.
Apple Security Update 2005-007,
APPLE-SA-2005-08-15, August 15, 2005
SCO Security Advisory, SCOSA-2005.33, August 19, 2005
Security Focus, Bugtraq ID: 14162, August 26, 2005
Debian Security Advisory, DSA 797-1, September 1, 2005
Security Focus, Bugtraq ID: 14162, September 12, 2005
Fedora Legacy Update Advisory, FLSA:162680, September 14, 2005
Gentoo Linux Security Advisory, GLSA 200509-18, September 26, 2005
Debian Security Advisory, DSA 797-2, September 29, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101989, October 14, 2005
Multiple Vendors
Gentoo Linux;
GNU GDB 6.3
Multiple vulnerabilities have been reported: a heap overflow vulnerability was reported when loading malformed object files, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported which could let a malicious user obtain elevated privileges.
A vulnerability has been reported due to the way console keyboard mapping is handled, which could let a malicious user modify the console keymap to include scripted macro commands.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Linux Kernel Console Keymap Arbitrary Command Injection
Medium
Security Focus, Bugtraq ID: 15122, October 17, 2005
Multiple Vendors
MandrakeSoft Multi Network Firewall 2.0, Linux Mandrake 2006.0 x86_64, 2006.0, 10.2 x86_64, 10.2, Corporate Server 3.0 x86_64, 3.0;
GNU wget 1.10;
Daniel Stenberg curl 7.14.1, 7.13.1, 7.13, 7.12.1- 7.12.3, 7.11- 7.11.2, 7.10.6- 7.10.8
A buffer overflow vulnerability has been reported due to insufficient validation of user-supplied NTLM user name data, which could let a remote malicious user execute arbitrary code.
Security Tracker Alert ID: 1015056, October 13, 2005
Mandriva Linux Security Update Advisories, MDKSA-2005:182 & 183, October 13, 200
Ubuntu Security Notice, USN-205-1, October 14, 2005
Fedora Update Notifications
FEDORA-2005-995 & 996, October 17, 2005
Fedora Update Notification,
FEDORA-2005-1000, October 18, 2005
Multiple Vendors
RedHat Enterprise Linux WS 4, WS 3, 2.1, IA64, ES 4, ES 3, 2.1, IA64, AS 4, AS 3, AS 2.1, IA64, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1, IA64; OpenSSL Project OpenSSL 0.9.3-0.9.8, 0.9.2 b, 0.9.1 c; FreeBSD 6.0 -STABLE, -RELEASE, 5.4 -RELENG, -RELEASE, 5.3 -STABLE, -RELENG, -RELEASE, 5.3, 5.2.1 -RELEASE, -RELENG, 5.2 -RELEASE, 5.2, 5.1 -RELENG, -RELEASE/Alpha, 5.1 -RELEASE-p5, -RELEASE, 5.1, 5.0 -RELENG, 5.0, 4.11 -STABLE, -RELENG, 4.10 -RELENG, -RELEASE, 4.10
A vulnerability has been reported due to the implementation of the 'SSL_OP_MSIE_
SSLV2_RSA_PADDING' option that maintains compatibility with third party software, which could let a remote malicious user bypass security.
A vulnerability has been reported in xntpd when started using the '-u' option and the group is specified by a string, which could let a malicious user obtain elevated privileges.
Fedora Update Notification,
FEDORA-2005-812, August 26, 2005
Ubuntu Security Notice, USN-175-1, September 01, 2005
Debian Security Advisory, DSA 801-1, September 5, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:156, September 6, 2005
Conectiva Linux Announcement, CLSA-2005:1029, October 11, 2005
Multiple Vendors
SuSE Open-Enterprise-Server 9.0, Linux Enterprise Server 9;
OpenWBEM 3.1 .0, 3.0.2, 2.0.14, 1.3.2
Multiple buffer overflow vulnerabilities have been reported due to insufficient bounds checking of user-supplied input before copying to insufficiently sized memory buffers, which could let a remote malicious user execute arbitrary code.
A buffer overflow vulnerability has been reported in the 'PNMToPNG' conversion package due to insufficient bounds checking of user-supplied input before coping to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notice, USN-210-1, October 18, 2005
Multiple Vendors
XFree86 X11R6 4.3 .0,
4.1 .0; X.org X11R6 6.8.2;
RedHat Enterprise Linux WS 2.1, IA64, ES 2.1, IA64, AS 2.1, IA64, Advanced Workstation for the Itanium Processor 2.1, IA64; Gentoo Linux
A buffer overflow vulnerability has been reported in the pixmap processing code, which could let a malicious user execute arbitrary code and possibly obtain superuser privileges.
Fedora Update Notifications,
FEDORA-2005-893 & 894, September 16, 2005
Trustix Secure Linux Security Advisory, TSLSA-2005-0049, September 16, 2005
Debian Security Advisory DSA 816-1, September 19, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101926, September 19, 2005
SUSE Security Announcement, SUSE-SA:2005:056, September 26, 2005
Slackware Security Advisory, SSA:2005-269-02, September 26, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101953, October 3, 2005
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
Avaya Security Advisory, ASA-2005-218, October 19, 2005
Multiple Vendors
xine xine-lib 1.1.0, 1.0-1.0.2, 0.9.13; Ubuntu Linux 5.0 4 powerpc, i386, amd64, ppc, ia64, ia32;
Gentoo Linux
A format string vulnerability has been reported in 'input_cdda.c' when writing CD metadata retrieved from a CDDB server to a cache file, which could let a remote malicious user execute arbitrary code.
Trustix Secure
Linux Security Advisory, TSLSA-2005-0034,
July 8, 2005
Fedora Update Notifications,
FEDORA-2005
-561 & 562, July 13, 2005
RedHat Security Advisory, RHSA-2005:720-04, August 9, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:137, August 11, 2005
Ubuntu Security Notice, USN-190-1, September 29, 2005
RedHat Security Advisory, RHSA-2005:395-18, October 5, 2005
Conectiva Linux Announcement, CLSA-2005:1032, October 13, 2005
Avaya Security Advisory, ASA-2005-225, October 18, 2005
Net-snmp
Net-snmp 5.x
A vulnerability has been reported in 'fixproc' due to a failure to securely create temporary files in world writeable locations, which could let a malicious user obtain elevated privileges and possibly execute arbitrary code with ROOT privileges.
Gentoo Linux Security Advisory, GLSA 200508-22, August 31, 2005
Conectiva Linux Announcement, CLSA-2005:1027, October 14, 2005
RedHat Security Advisory, RHSA-2005:767-8, October 17, 2005
PCRE
PCRE 6.1, 6.0, 5.0
A vulnerability has been reported in 'pcre_compile.c' due to an integer overflow, which could let a remote/local malicious user potentially execute arbitrary code.
Gentoo Linux Security Advisory, GLSA 200509-19, September 27, 2005
Debian Security Advisory, DSA 821-1, September 28, 2005
Conectiva Linux Announcement, CLSA-2005:1013, September 27, 2005
Turbolinux Security Advisory, TLSA-2005-92, October 3, 2005
Avaya Security Advisory, ASA-2005-216, October 18, 2005
phpMyAdmin
phpMyAdmin 2.6.4 -pl1
A vulnerability has been reported in 'libraries/grab_
globals.lib.php' due to insufficient verification of the 'subform' array parameter before including files, which could let a malicious user include arbitrary files.
Mandriva Linux Security Update Advisory, MDKSA-2005:147, August 22, 2005
Turbolinux Security Advisory, TLSA-2005-91, September 20, 2005
RedHat Security Advisory, RHSA-2005:345-24, September 28, 2005
RedHat Security Advisory, RHSA-2005:346-19, October 5, 2005
Conectiva Linux Announcement, CLSA-2005:1028, October 11, 2005
Sun Microsystems Inc.
Solaris 10.0, _x86, 9.0, _x86, 8.0, _x86, 7.0, _x86
A vulnerability has been reported in the Xsun and Xprt commands due to an unspecified error, which could let a malicious user obtain elevated privileges.
Sun(sm) Alert Notification
Sun Alert ID: 101800, September 26, 2005
Avaya Security Advisory, ASA-2005-220, October 18, 2005
Sun Microsystems, Inc.
Solaris 10.0 _x86, 10.0
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported in the 'privilege management' feature due to an unspecified error; and a vulnerability was reported in the Process File System (procfs) due to an unspecified security issue, which could let a malicious user obtain sensitive information.
SUSE Security Summary Report, SUSE-SR:2005:023, October 14, 2005
xloadimage
xloadimage 4.1
A buffer overflow vulnerability has been reported when handling the title of a NIFF image when performing zoom, reduce, or rotate functions, which could let a remote malicious user execute arbitrary code.
Debian Security Advisories, DSA 858-1 & 859-1, October 10, 2005
RedHat Security Advisory, RHSA-2005:802-4, October 18, 2005
YaPiG
YaPig 0.95 b
Multiple vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported due to insufficient sanitization of the 'Website' field when adding a comment, which could let a remote malicious user execute arbitrary HTML and script code; a Cross-Site Scripting vulnerability was reported in 'view.php' due to insufficient sanitization of the 'img_size' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability was reported because users can perform certain actions via HTTP POST requests without validity checks, which could let a remote malicious user perform certain administrative tasks.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Yapig Cross-Site Scripting & HTTP POST Requests Validity
Medium
Technical University of Vienna Security Advisory
TUVSA-0510-001, October 13, 2005
Yukihiro Matsumoto
Ruby 1.6 - 1.6.8, 1.8 - 1.8.2
A vulnerability has been reported in 'eval.c' due to a flaw in the logic that implements the SAFE level checks, which could let a remote malicious user bypass access restrictions to execute scripting code.
