bzip2 Decompression File Overwrite Vulnerability BugTraq ID: 4774 Remote: Yes Date Published: May 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4774 Summary:
bzip2 is an open-source file compression/decompression utility for Unix and Linux variants. bzip2 does not decompress files securely. When a file is decompressed, the program does not sufficiently check to see if the file already exists, potentially allowing files to be overwritten without warning during the decompression. The source of this problem is that the O_EXCL flag is not used when the files are created during decompression. An attacker may potentially create a malicious archive which exploits this vulnerability, causing files owned by the user decompressing the archive to be overwritten. bzip2 Insecure Decompressed File Permissions Vulnerability BugTraq ID: 4775 Remote: No Date Published: May 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4775 Summary: bzip2 is an open-source file compression/decompression utility for Unix and Linux variants. bzip2 is prone to a race condition which may cause files to decompress with world-readable permissions. The race condition exists between the creation of files that are being decompressed and the setting of permissions, potentially causing decompression files to be created with inappropriate permissions. This vulnerability may potentially expose sensitive files to other local users. bzip2 Archive Inherited Symbolic Link Permissions Vulnerability BugTraq ID: 4776 Remote: No Date Published: May 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4776 Summary: bzip2 is an open-source file compression/decompression utility for Unix and Linux variants. bzip2 inherits the permissions of symbolic links when a file is compressed, instead of the permissions of the actual file being compressed. Therefore, if a symbolic link is attached to a file that is compressed using the software, then the permissions for the symbolic link are stored in the archive as the permissions for the file. The source of the problem is a failure to derefence the symbolic links when creating the archive. This may result in decompressed files being created with insecure permissions (such as world-readable), potentially causing sensitive information to contained in the decompressed files to be disclosed to local users. FreeBSD k5su Wheel Group Membership Validation Vulnerability BugTraq ID: 4777 Remote: No Date Published: May 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4777 Summary: k5su is a utility for the FreeBSD operating system which is similar to su. It allows a local user to gain superuser privileges by further authenticating as the superuser. Authentication is performed either via the local passwd file or Kerberos 5. To be used, the su utility normally requires that the local user is a member of the 'wheel' group. k5su does not sufficiently validate that the user possesses this group membership and may be used by arbitrary local users who know the superuser password or have an explicit entry in the Kerberos 5 ACL for the superuser account. This presents an insecurity as the expected behavior is that k5su may only be executed by users with 'wheel' group membership. k5su cannot be relied upon to restrict which accounts may gain superuser privileges. It has also been reported that k5su does not possess a number of other security features provided by the su utility. It should be noted that administrators must explicitly install k5su and this vulnerability is not present in default installations of the FreeBSD operating system. Stronghold Secure Server Path Information Disclosure Vulnerability BugTraq ID: 4785 Remote: Yes Date Published: May 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4785 Summary: Redhat Stronghold Secure Web Server is a web server based on the Apache source. It has been reported that Stronghold Server 3.0 may disclose path information to a remote user. The vulnerability exists in SWISH (Simple Web Indexing System for Humans), which is Stronghold's site indexer. SWISH is bundled with Stronghold Server. An attacker is able to send a request that will cause SWISH to disclose the path to the web root. In some cases, SWISH may disclose system specific information to the attacker. Obtaining path and system information may be used by a malicious attacker to mount further, potentially damaging, attacks against the vulnerable system. Eric S. Raymond Fetchmail Message Count IMAP Buffer Overflow Vulnerability BugTraq ID: 4788 Remote: Yes Date Published: May 21 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4788 Summary: Fetchmail is a freely available, open source mail retrieval utility. It is maintained by Eric S. Raymond. A vulnerability in the IMAP handling code could make it possible for a malicious server to exploit a buffer overflow. The problem is in the index count of messages. It may be possible for a malicious server to take advantage of a fetchmail client. This could result in a denial of service, and potentially the execution of arbitrary code. By default, the fetchmail client trusts the message index count sent by the server. For the message index count returned by the server, the fetchmail client allocates an appropriate amount of memory. A malicious IMAP server may return a message index count of large size. In the event of an IMAP server doing so, the fetchmail client could allocate an amount of memory that overwrites the process stack memory space. This problem is likely to result in a denial of service attack. This vulnerability, however, also has the potential for remote exploitation, provided an attacker has control of the IMAP server that the fetchmail client polls. OpenBSD sshd BSD Authentication Implementation Error Vulnerability BugTraq ID: 4803 Remote: Yes Date Published: May 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4803 Summary: OpenBSD is a freely available, open source operating system designed with security in mind. It is maintained and distributed by the OpenBSD project. A possible security issue in the OpenSSH server for OpenBSD has been reported. The vulnerability is related to the implementation of BSD authentication. In the sshd utility, a condition exists where the 'auth_approval()' function may overwrite a libc password entry structure that is in use with that of another user. This may occur when YP/NIS is in use. Exploitation of this vulnerability may allow for users with locked accounts to authenticate successfully. Ethereal DNS Dissector Infinite Loop Denial of Service Vulnerability BugTraq ID: 4807 Remote: Yes Date Published: May 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4807 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The Ethereal DNS dissector is a mechanism for decoding the DNS protocol. A condition exists where the DNS dissector routine may enter an infinite loop while processing a request. This may be triggered by a maliciously constructed DNS query transmitted across the network. A remote attacker may exploit this vulnerability to prevent Ethereal from functioning. Successful exploitation may result in data loss and evasion of detection by Ethereal. Ethereal Server Message Block Dissector Malformed Packet Denial Of Service Vulnerability BugTraq ID: 4806 Remote: Yes Date Published: May 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4806 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The Ethereal Server Message Block (SMB) dissector is a mechanism for decoding the Microsoft SMB protocol. A problem with this portion of Ethereal could make it possible for a remote attacker to deny service to an Ethereal user. Two conditions exists that may result in attempts to dereference NULL pointers. The conditions may be triggered by a specially constructed SMB packet transmitted across the network by the attacker. By transmitting such a packet while a session of Ethereal is running, Ethereal could be made to dereference a NULL pointer, resulting in a crash of the application. Successful exploitation may result in Ethereal crashing due to an access violation, resulting in a denial of service. Ethereal GIOP Dissector Memory Exhaustion Vulnerability BugTraq ID: 4808 Remote: Yes Date Published: May 23 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4808 Summary: Ethereal is a freely available, open source network traffic analysis tool. It is maintained by the Ethereal Project and is available for most Unix and Linux variants as well as Microsoft Windows operating systems. The Ethereal GIOP dissector is a mechanism for decoding the General Inter-ORB Protocol (GIOP). A condition exists that may result in exhaustion of available memory. A specially constructed packet may cause allocation of a large amount of memory. Attackers may exploit this vulnerability to cause an exhaustion of available memory. Successful exploitation may result in Ethereal failing or crashing. Debian GNU/Linux netstd Multiple Buffer Overflow Vulnerabilities BugTraq ID: 4816 Remote: Yes Date Published: May 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4816 Summary: The netstd package, included with the Debian GNU/Linux distribution is a collection of networking utilities and daemons. Reportedly, version 3.07-17 of netstd included with Debian is vulnerable to a buffer overflow attack. The vulnerability affects multiple utilities included with netstd. The affected utilities are: - linux-ftpd - pcnfsd - tftp - traceroute - from/to The condition occurs when an FQDN (Fully Qualified Domain Name) response, generated by the target DNS (Domain Name System) server is copied into a small buffer without any checks. It may be possible for a malicious attacker to overflow the buffer and execute code as the owner of the vulnerable processes. [ d�tails: apparemment ne touche que les versions de Debian GNU/Linux inf�rieures � 2.2 (non comprise). Donc Debian/stable n'est pas touch�e. Donc je ne vois pas trop l'int�r�t de faire un bug report sur quelque chose qui n'est plus le cas depuis 2000. Menfin. ] ViewCVS Cross-Site Scripting Vulnerability BugTraq ID: 4818 Remote: Yes Date Published: May 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4818 Summary: ViewCVS is an open-source web interface for CVS. It is available for most Unix and Linux variants as well as Microsoft Windows operating systems. ViewCVS does not filter HTML tags from certain URL parameters, making it prone to cross-site scripting attacks. An attacker may exploit this by constructing a malicious link with script code to a site running ViewCVS and sending it to a legitimate user of the site. When the legitimate user follows the link, the attacker's script code is executed in their web client in the security context of the website running ViewCVS. The attacker may be able to steal cookie-based authentication credentials or hijack web content as a result of this vulnerability. Sendmail File Locking Denial Of Service Vulnerability BugTraq ID: 4822 Remote: No Date Published: May 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4822 Summary: Sendmail is a MTA (Mail Transport Agent) for Unix and Linux variants. There is a vulnerability in Sendmail that will lead to a denial of service condition. The vulnerability occurs when a malicious user acquires an exclusive lock on files that Sendmail requires for operation. Sendmail uses file locking for a variety of files including aliases, maps, statistics, and the pid file. If a user has access to these files, the user may be able to obtain exclusive locks on these files. If Sendmail, or its associated programs, is unable to obtain access to any critical files, it will cease to function properly. A malicious user may exploit this vulnerability to cause Sendmail to stop functioning. GNU Mailman Admin Login Cross-Site Scripting Vulnerability BugTraq ID: 4825 Remote: Yes Date Published: May 20 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4825 Summary: GNU Mailman is a freely available, open-source mailing list manager written in Python and C. It runs on Linux and other Unix-based systems. GNU Mailman is prone to a cross-site scripting vulnerability. An attacker may construct a malicious link to the administrative login page, which contains arbitrary HTML and script code. A user visiting the link will have the attacker's script code executed in their web browser in the context of the site running the vulnerable software. The attacker may potentially exploit this condition to steal cookie-based authentication credentials. GNU Mailman Pipermail Index Summary HTML Injection Vulnerability BugTraq ID: 4826 Remote: Yes Date Published: May 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4826 Summary: GNU Mailman is a freely available, open-source mailing list manager written in Python and C. It runs on Linux and other Unix-based systems. Pipermail is bundled into GNU Mailman and is used as the mailing list archiver. HTML tags are not properly filtered from the HTML list archive index. This may enable a remote attacker to inject arbitrary HTML, including script code, into the HTML list archive index. When a web user views the list index archive containing attacker-supplied script code, the script code will be executed in their web client in the security context of the website running GNU Mailman. This issue exists in the Pipermail component of GNU Mailman. MIT PGP Public Key Server Search String Remote Buffer Overflow Vulnerability BugTraq ID: 4828 Remote: Yes Date Published: May 24 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4828 Summary: The PGP Public Key Server is a freely available, open source software package distributed by MIT. It is designed for use on Linux and Unix operating systems. A problem with the software package may allow remote code execution. The problem is in the handling of long search strings. The PGP Public Key Server does not properly handle long search strings. Under some conditions, it may be possible to pass a long string to the server that could result in a buffer overflow. This may result in the overwriting of stack variables, including the return address. Upon passing a search string of 512 or more characters, the server crashes. Minimally, this could result in a denial of service to users of the key server. In the event that this could be exploited to execute code, a remote user would be able to execute code with the privileges of the PGP Public Key Server process. It is noteworthy that exploit strings must be able to pass through an isalnum() function, as well as a tolower() function, limiting the characters that may be used in an exploit string. [ des tas de probl�mes avec Cisco IOS aussi, du c�t� du mat�riel ] - Pour poster une annonce: [EMAIL PROTECTED]
