[ il n'y a pas eu de 94 car il n'y a rien eu dans le domaine open source UNIX-like. ] Sendmail Unsafe Signal Handling Race Condition Vulnerability BugTraq ID: 2794 Remote: Unknown Date Published: 2001-05-28 Relevant URL: http://www.securityfocus.com/bid/2794 Summary: Several methods of causing undesired or unexpected behaviour in programs that make use of non-atomic or non-reentrant operations in signal handling functions have recently been presented in a paper by Michal Zalewski. Due to the implications of this paper, the Sendmail MTA has been found to be susceptible to several possible race condition vulnerabilities. The problems lie in the signal handlers used for dealing with specific signals (such as SIGTERM, SIGINT, etc.) By generating a signal while a signal handling operation is already in progress, an attacker could interrupt a non-reentrant libc function and enter it again from the handler. Precise timing in such an attack could possibly result in, for example, heap corruption or interruption during privilege lowering. This set of vulnerabilities exist because of reentrant library function calls from signal handlers (malloc, free, syslog, operations on global buffers, etc). Conditions where these types of attacks may be possible are known to exist in sendmail, which is installed set-uid root and locally executable. Attacks against sendmail are still theoretical. The program maintains it's root privileges during runtime almost all of the time; no exploitable problems have yet been found with user signal delivery. It is remotely possible that an exploitable condition exists in Sendmail. Webmin Environment Variable Information Disclosure Vulnerability BugTraq ID: 2795 Remote: No Date Published: 2001-05-28 Relevant URL: http://www.securityfocus.com/bid/2795 Summary: Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no external modules. This means that you only need a Perl binary to run Webmin. Versions of Webmin prior to the current release (0.85) fail to properly remove sensitive information from certain environment variables. One such environment variable (HTTP_AUTHORIZATION) contains webmin's administrator login ID and password in mime 64 encoded form. An attacker may trivially read and decode this information, and exploit it (and other data, including host path and configuration information) to further compromise the host, to the extent of potentially obtaining root privilege. GnuPG Format String Vulnerability BugTraq ID: 2797 Remote: Yes Date Published: 2001-05-29 Relevant URL: http://www.securityfocus.com/bid/2797 Summary: GnuPG is a popular open source public/private key encryption system. GnuPG contains a vulnerability which may allow remote attackers to gain access to the systems of users decrypting files. When a file with an unrecognized filename suffix is decrypted, GnuPG prompts the user to enter a filename to which the plaintext will be written. The program also attempts to obtain the original filename from the encrypted file, and includes it in the prompt. The bug exists because the prompt is displayed to the user using a *printf function; the prompt is supplied as the format string argument. As a result, any format specifiers in the original filename will be interpreted by and acted upon by the printf function. It may be possible for remote attackers to maliciously use format specifiers to write to values to arbitrary locations in memory. By doing so, attackers could force the execution of arbitrary code by the GnuPG client. NetBSD Bogus Fragmented IPv4 Packet Denial of Service Vulnerability BugTraq ID: 2799 Remote: Yes Date Published: 2001-05-29 Relevant URL: http://www.securityfocus.com/bid/2799 Summary: The IPv4 implementation used in the NetBSD kernel is subject to a denial of service attack. In the IPv4 input path, there is code to reassemble fragmented IPv4 datagrams. Datagram fragments destined to node are queued for 30 seconds to allow the fragmented datagrams to be reassembled. The vulnerability exists because there is no upper limit in the number of reassembly queues. By transmitting a lot of bogus fragmented packets with different IPv4 identification fields, a malicious user could be able to put a target machine into mbuf starvation state. This could cause the node to stop communicating with other nodes. For the attack to be effective, the attacker needs to have good network connectivity to the target node; this might be accomplished from the victim node itself, or through a fat LAN, for example. [ Il y a quelques articles sur bug-traq en ce moment � propos de la mauvaise qualit� (?) du code kernel de OpenBSD, peut-�tre des exploits bient�t ] - Pour poster une annonce: [EMAIL PROTECTED]
