headers
Daniel Ahlberg | 1 Oct 2002 14:37
Picon
Favicon

GLSA: tar


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :tar
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 12:30 UTC

--------------------------------------------------------------------

OVERVIEW

The tar utility contain vulnerabilities which can allow
arbitrary files to be overwritten during archive extraction.

DETAIL

During testing by Redhat of the fix to GNU tar from the advisory below, 
it was discovered that GNU tar 1.13.25 was still vulnerable to a 
modified version of the same problem.

Read the full original advisory at
http://marc.theaimsgroup.com/?l=bugtraq&m=99496364810666&w=2

SOLUTION

It is recommended that all Gentoo Linux users who are running
sys-apps/tar-1.13.25-r2 and earlier update their systems
as follows:
(Continue reading)

Permalink | Reply | 0 comments |
headers
Marc Bevand | 1 Oct 2002 02:00
Picon
Picon
Favicon

ASA-0000: GV Execution of Arbitrary Shell Commands


                      "After" Security Advisory

        Title: GV Execution of Arbitrary Shell Commands
      Affects: gv-3.5.8 and probably older versions
  Advisory ID: ASA-0000
 Release Date: 2002-10-01
       Author: Marc Bevand <bevand_m (at) epita.fr>
          URL: http://www.epita.fr/~bevand_m/asa/asa-0000

--oOo-- 0. Table of Contents

0. Table of Contents
1. Introduction
2. Problem
3. Solution
4. Conclusion
5. References
6. Attached files

--oOo-- 1. Introduction

  GV [0] is a PostScript and PDF previewer available on
many unix
systems and even on some non-unix systems. Technically,
it is a user
interface for Ghostscript [1], which is a PostScript
and PDF language
interpreter. GV is also able to automatically
decompress GZip'ed [2]
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rossen Raykov | 1 Oct 2002 15:57

Insecure XML-RPC handling in Zope reveals the distribution physic al location.

Zope versions pre 2.5.1b2 do not handle correct some XML-RPC request.

1. Summary:

Zope (www.zope.org) will reveal the complete physical location where the
server and its components are installed if it receives "incorrect" XML-RPC
requests.
In some cases it will reveal also information about the serves in the
protected LAN (10.x.x.x for example) on which current server is relaying.

2. Details:

A request like the quoted below will cause Zope to produce stack traces in
the response that will reveal the information mentioned above.

See http://collector.zope.org/Zope/359 for more details.

Ironically the quoted request was an example how to use XML-RPC.

Note that starting Zope without -D option won't stop the exposure.

telnet localhost 8080
POST /Documentation/comp_tut HTTP/1.0
Host: localhost
Content-Type: text/xml
Content-length: 93

<?xml version="1.0"?>
<methodCall>
<methodName>objectIds</methodName>
(Continue reading)

Permalink | Reply | 1 comment |
headers
Fab\AIS | 1 Oct 2002 03:19

NETGEAR FVS318 Information Disclosure

Hi All..

I'm resending this..*without* the failure notice ;)

 Attached is an Advisory concerning Netgear's FVS318 
 Firewall/VPN/Router, and the fact that it stores Usernames and
Passwords in plain text if the config is backed up.

 Thanks,

 fab <at> aisec.net
 http://www.aisec.net
 Information Security Team.
  -=-=-=-=-=-=-=-=-=-=-=-=-=-
===================================================================
 AIS advisory # 0006 NETGEAR FVS318 Firewall Router Firmware 1.1 
 Username/Password Disclosure

 ==============Summary================

 Netgear's FVS318 Firewall/VPN/Router stores Usernames and Passwords in 
 plain text when a backup of the configuration is made.

 ==========Software Affected==========

 Netgear FVS318 firmware 1.1 and every firmware version before it.

 ===============Vendor================

 http://www.netgear.com
(Continue reading)

Permalink | Reply | 0 comments |
headers
secure | 1 Oct 2002 16:52
Picon
Favicon

[CLA-2002:527] Conectiva Linux Security Announcement - python


--------------------------------------------------------------------------
CONECTIVA LINUX SECURITY ANNOUNCEMENT 
--------------------------------------------------------------------------

PACKAGE   : python
SUMMARY   : os.execvpe() vulnerability
DATE      : 2002-10-01 11:48:00
ID        : CLA-2002:527
RELEVANT
RELEASES  : 6.0, 7.0, 8

-------------------------------------------------------------------------

DESCRIPTION
 Python is an interpreted, interactive, object-oriented programming
 language.

 Zack Weinberg found[1] a vulnerability in the way the exevpe() method
 from the os.py module uses a temporary file name. A file which
 supposedly should not exist is created in a unsafe way and the method
 tries to execute it. The objective of such code is to discover what
 error the operating system returns in a portable way.

 This vulnerability affects all python versions and is fixed[2,3] in
 the python CVS repository (using a better approach).

 By exploiting this vulnerability a local attacker can execute
 arbitrary code with the privileges of the user running python code
 which uses the execvpe() method.
(Continue reading)

Permalink | Reply | 0 comments |
headers
Dave Aitel | 1 Oct 2002 17:18

PPTP

For those of you who have a desire to crash Microsoft's PPTP stack, I
have a pptp .spk script linked off of
http://www.immunitysec.com/spike.html. 

It would probably be good to run against other PPTP stacks as well.
(Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks
just as fast as it takes down the non-free stacks.)

It's not a bad demonstration of how to use SPIKE scripts either, if
you're inclined to learn. Finding this bug took less than thirty
minutes...(</marketing>)

To run it:
# first enable the shared library fun
bash$ . ./ls.sh 
# now run the script against 192.168.1.100 after setting up PPTP on that
machine. It's a good idea to set up SoftIce as well.
bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0 
#wait for crash. It's in the second packet, I believe.

Dave Aitel
Immunity, Inc.

References
-----------------------------

   [1] phion Information Technologies
       http://www.phion.com/

Exploit
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Ahlberg | 1 Oct 2002 11:41
Picon
Favicon

GLSA: fetchmail


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :fetchmail
SUMMARY        :remote vulnerabilities
DATE           :2002-10-01 09:30 UTC

--------------------------------------------------------------------

OVERVIEW

Stefan Esser from e-matters has discovered several buffer overflows and
a broken boundary check within Fetchmail.

DETAIL

If Fetchmail is running in multidrop mode these flaws can be used by
remote attackers to crash it or to execute arbitrary code with the
permissions of the user running fetchmail. Depending on the configuration
this allows a remote root compromise.

Read the full advisory at
http://security.e-matters.de/advisories/032002.html

SOLUTION

It is recommended that all Gentoo Linux users who are running
net-mail/fetchmai-0.59.14 and earlier update their systems
(Continue reading)

Permalink | Reply | 0 comments |
headers
Daniel Ahlberg | 1 Oct 2002 12:38
Picon
Favicon

GLSA: unzip


--------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT
--------------------------------------------------------------------

PACKAGE        :unzip
SUMMARY        :directory-traversal vulnerability
DATE           :2002-10-01 10:30 UTC

--------------------------------------------------------------------

OVERVIEW

Archive  extraction  is  usually treated by users as a safe operation.
There are few problems with files extraction though.

DETAIL

Among  them:  huge  files with high compression ratio are able to fill
memory/disk  (see  "Antivirus scanner DoS with zip archives" thread on
Vuln-Dev),  special device names and special characters in file names,
directory  traversal  (dot-dot  bug). Probably, directory traversal is
most  dangerous  among  this  bugs, because it allows to craft archive
which  will  trojan  system  on  extraction. This problem is known for
software  developers,  and  newer  archivers usually have some kind of
protection.  But  in  some  cases  this  protection is weak and can be
bypassed.  I did very quick (approx. 30 minutes, so may be I've missed
something) researches on few popular archivers. Results are below.

Read the full advisory at
(Continue reading)

Permalink | Reply | 0 comments |
headers
David Miller | 1 Oct 2002 18:50

[BUGZILLA] Security Advisory

Bugzilla Security Advisory

October 1st, 2002

All Bugzilla installations are advised to upgrade to the latest versions of
Bugzilla, 2.14.4 and 2.16.1, both released today. Security issues of
varying importance have been fixed in both.  These vulnerabilities affect
all previous 2.14 and 2.16 releases.

2.14.x users are additionally encouraged to upgrade to 2.16.1 as soon as
possible, as the 2.14 branch will no longer be maintained by the Bugzilla
team beyond the end of this year.

Individual patches to upgrade Bugzilla are available at
 http://ftp.mozilla.org/pub/webtools/
(however these patches are only valid for 2.14.3 and 2.16 users).

Full release downloads and CVS upgrade instructions are available at
 http://www.bugzilla.org/download.html

Complete bug reports for all the following bugs may be obtained at
 http://bugzilla.mozilla.org/

The following security issues were fixed in both 2.14.4 and 2.16.1:

- Permissions leak when using "usebuggroups" and more than 47 groups;
  permissions are granted to users in higher groups when they shouldn't be.
  (bug 167485; comment 12 has additional detection/recovery information)
  http://bugzilla.mozilla.org/show_bug.cgi?id=167485#c12
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mark Grimes | 1 Oct 2002 13:34

Postnuke XSS patch


[For Immediate Release]

The PostNuke Security Officer has updated the CVS version of Postnuke and a
patch will be made available today to fix the outstanding issue shown here
http://marc.theaimsgroup.com/?l=bugtraq&m=103306696427569&w=2

It is apparent that the Postnuke developers reviewed the material suggested
vulnerable and deemed it worthy of a patch.  Please refer to their website for
patch availability, as I was not provided a specific URL to point you to.

--
Mark Grimes <mark <at> stateful.net>
Stateful Labs
Permalink | Reply | 0 comments |

Gmane