Security Advisories Week: 22-29 May 2002

Title: OpenServer popper buffer overflow and denial of service

Date: May 22 2002

Vendor: Caldera

Vulnerable systems: OpenServer 5.0.5 and OpenServer 5.0.6

Full advisory: http://www.net-security.org/advisory.php?id=716

Problem description: /etc/popper will go into a loop if a character string of length 2048 (or more) is sent to it. If the bulldir variable in the user’s config file is longer than 256 characters, popper will memory fault.

Title: Remote buffer overflow in imap

Date: May 24 2002

Vendor: Connectiva

Vulnerable systems: Conectiva Linux 6.0, 7.0, 8

Full advisory: http://www.net-security.org/advisory.php?id=717

Problem description: This vulnerability can be exploited by a remote attacker after he or she has been successfully authenticated by the server. Arbitrary code could then be executed, but with the privileges of the authenticated user.

Title: Cross site scripting vulnerability in mailman

Date: May 24 2002

Vendor: Conectiva

Vulnerable systems: Conectiva Linux 6.0, 7.0, 8

Full advisory: http://www.net-security.org/advisory.php?id=718

Problem description: Barry A. Warsaw announced a new version of mailman that fixes two cross site scripting vulnerabilities. According to this announcement, “office” reported such a vulnerability in the login page, and Tristan Roddis reported one in the Pipermail index summaries.

Title: Buffer overflow in UW imap daemon

Date: May 22 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 6.2, 7.1, 7.2

Full advisory: http://www.net-security.org/advisory.php?id=719

Problem description: The UW imap daemon contains a buffer overflow which allows a logged in, remote user to execute commands on the server with the user’s UID/GID.

Title: Updated nss_ldap packages fix pam_ldap vulnerability

Date: May 26 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 6.2, 7.1, 7.2, 7.3

Full advisory: http://www.net-security.org/advisory.php?id=721

Problem description: Updated nss_ldap packages are now available for Red Hat Linux 6.2, 7.0, 7.1, 7.2, and 7.3. These packages fix a string format vulnerability in the pam_ldap module.

Title: perl-Digest-MD5 bug

Date: May 28 2002

Vendor: Mandrake

Vulnerable systems: Mandrake Linux 8.2

Full advisory: http://www.net-security.org/advisory.php?id=722

Problem description: A bug exists in the UTF8 interaction between the perl-Digest-MD5 module and perl that results in UTF8 strings having improper MD5 digests. The 2.20 version of the module corrects this problem.

Title: Fetchmail prior 5.9.10 vulnerable

Date: May 28 2002

Vendor: Mandrake

Vulnerable systems: Mandrake Linux 7.1, 7.2, 8.0, 8.1, 8.2, Corporate Server 1.0.1, Single Network Firewall 7.2

Full advisory: http://www.net-security.org/advisory.php?id=723

Problem description: The fetchmail client will allocate an array to store the sizes of the messages it is attempting to retrieve. This array size is determined by the number of messages the server is claiming to have, and fetchmail would not check whether or not the number of messages the server was claiming was too high. This would allow a malicious server to make the fetchmail process write data outside of the array bounds.

Title: scoadmin command creates temporary files insecurely

Date: May 28 2002

Vendor: Caldera

Vulnerable systems: OpenServer 5.0.5, OpenServer 5.0.6

Full advisory: http://www.net-security.org/advisory.php?id=724

Problem description: The scoadmin command creates and uses temporary files insecurely. Names can be predicted, and spoofed with symbolic links.

Title: sort command creates temporary files

Date: May 28 2002

Vendor: Caldera

Vulnerable systems: OpenServer 5.0.5, OpenServer 5.0.6

Full advisory: http://www.net-security.org/advisory.php?id=725

Problem description: The sort command creates and uses temporary files insecurely. Names can be predicted, and spoofed with symbolic links.

Title: Tcpdump remote command execution

Date: May 29 2002

Vendor: SuSE

Vulnerable systems: SuSE Linux line of products 6.4, 7.0, 7.1, 7.2, 7.3, 8.0

Full advisory: http://www.net-security.org/advisory.php?id=726

Problem description: Tcpdump decodes certain packets such as AFS requests in a wrong way resulting in a buffer overflow. Since running tcpdump requires root privileges this may lead to a root compromise of the system running tcpdump.

Title: rc uses file globbing dangerously

Date: May 9 2002

Vendor: FreeBSD

Vulnerable systems: FreeBSD 4.4-RELEASE, FreeBSD 4.5-RELEASE, FreeBSD 4-STABLE prior to the correction date

Full advisory: http://www.net-security.org/advisory.php?id=727

Problem description: rc is the system startup script (/etc/rc). It is run when the FreeBSD is booted multi-user, and performs a multitude of tasks to bring the system up. One of these tasks is to remove lock files left by X Windows, as their existence could prevent one from restarting the X Windows server.

Title: DHCP remote exploitable vulnerability

Date: May 29 2002

Vendor: Mandrake

Vulnerable systems: Mandrake Linux 7.2, 8.1, 8.2, Single Network Firewall 7.2

Full advisory: http://www.net-security.org/advisory.php?id=729

Problem description: Fermin J. Serna discovered a problem in the dhcp server and client package from versions 3.0 to 3.0.1rc8, which are affected by a format string vulnerability that can be exploited remotely.

Title: Remote denial-of-service when using accept filters

Date: May 29 2002

Vendor: FreeBSD

Vulnerable systems: FreeBSD 4.5-RELEASE, FreeBSD 4-STABLE after 2001-11-22 and prior to the correction date

Full advisory: http://www.net-security.org/advisory.php?id=728

Problem description: FreeBSD features an accept_filter mechanism which allows an application to request that the kernel pre-process incoming connections. For example, the accf_http accept filter prevents accept from returning until a full HTTP request has been buffered.

Title: Mozilla vulnerabilities

Date: May 29 2002

Vendor: Conectiva

Vulnerable systems: Conectiva Linux 6.0, 7.0, 8

Full advisory: http://www.net-security.org/advisory.php?id=730

Problem description: GreyMagic Security found a vulnerability in mozilla prior to version 1.0rc1 which allows a hostile site to read and list user files. The vulnerability was related to the XMLHTTP, a component that is primarily used for retrieving XML documents from a web server.