Re: Web Pages TODO List - Security

To: debian-www@lists.debian.org
Subject: Re: Web Pages TODO List - Security
From: doug jensen <djen@ispwest.com>
Date: Fri, 15 Aug 2003 12:57:38 -0600
Message-id: <[🔎] 20030815185738.GB26838@ispwest.com>
In-reply-to: <20030720201619.GA28977@ispwest.com>
References: <20030720201619.GA28977@ispwest.com>

Hello,

Attached are patches for the 'undated' security advisories.  After they
are applied there will be four _unpatched_ advisories in that directory,
three for 'xfree' and one for 'mc'.  At this time it doesn't appear
that I will find any useable information for those four advisories.

If all the patches are applied, sixteen files will be changed:
1bliss.(data,wml), 1doom.wml, 1land.data, 1ldso.wml, 1libdb.wml,
1lynx.wml, 1mgetty.wml, 1modutils.wml, 1parsecontrol.(data,wml),
1samba.wml, 1sperl.(data,wml), 1svgalib.wml, and 1teardrop.data.

If there are any questions/problems with the attached patches, please
let me know.  If the patches look good, would someone commit them?
Matt, thanks for your help with the previous ones.

Next, I intend to start working on the advisories that link back into
the Debian archives, it appears that there are several in the 1999
directory.

Doug Jensen

diff -u old/1bliss.wml new/1bliss.wml
--- old/1bliss.wml	Fri Aug 15 12:00:18 2003
+++ new/1bliss.wml	Wed Aug 13 07:54:01 2003
@@ -5,7 +5,18 @@
 problem. This is why people should do as little as possible under
 root.
 
+<p>Bliss was described on USENET in the fall of 1996.  In February of 1997, it was reported in Linux and Bugtraq mailing lists.  
+
+<p>Check for Bliss by searching all binaries for the following pattern:<br>E8ABD8FFFFC200003634 65643134373130363532
+
 <p>Disinfect with the --bliss-uninfect-files-please argument to an infected program.
+
+<p>References:
+<ul>
+<li> <a href="http://www.f-secure.com/v-descs/bliss.shtml";> F-Secure - bliss description</a>
+<li> <a href="http://www.securitymap.net/sdm/docs/virus/unix-virus-459.html";>Viruses on Unix systems - by Rado Dejanovic</a>
+<li> <a href="http://www2.norwich.edu/mkabay/iyir/1997.PDF";>InfoSec Year in Review -- 1997 (at Norwich.edu) (PDF)</a>
+</ul>
 </define-tag>
 
 # do not modify the following line
diff -u old/1doom.wml new/1doom.wml
--- old/1doom.wml	Fri Aug 15 12:00:18 2003
+++ new/1doom.wml	Wed Aug 13 11:29:02 2003
@@ -1,6 +1,11 @@
 <define-tag description>/tmp file attack</define-tag>
 <define-tag moreinfo>
 Doom startmouse creates replaceable /tmp/gpmscript
+
+<p>References:
+<ul>
+<li> <a href="http://www.insecure.org/sploits/linux.doom.gpm.killmouse.html";>BugTraq posting - doom<a/>
+</ul>
 </define-tag>
 
 # do not modify the following line
diff -u old/1land.data new/1land.data
--- old/1land.data	Fri Aug 15 12:00:18 2003
+++ new/1land.data	Wed Aug 13 08:48:01 2003
@@ -1,5 +1,6 @@
 <define-tag pagetitle>kernel</define-tag>
 <define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1997-28</define-tag>
 <define-tag packages>kernel-package</define-tag>
 <define-tag isvulnerable>no</define-tag>
 <define-tag fixed>N/A</define-tag>
diff -u old/1ldso.wml new/1ldso.wml
--- old/1ldso.wml	Fri Aug 15 12:00:18 2003
+++ new/1ldso.wml	Wed Aug 13 07:54:01 2003
@@ -3,6 +3,22 @@
 Local users may gain root privileges by exploiting a buffer overflow
 in the dynamic linker (ld.so).
 
+<p>The vulnerability may also allow remote users to obtain root access.
+
+<p>This paragraph was extracted from CIAC h-86 (see References):<br>
+ On Linux, programs linked against shared libraries execute some code
+ contained in /lib/ld.so (for a.out binaries) or /lib/ld-linux.so (for
+ ELF binaries), which loads the shared libraries and binds all symbols.
+ If an error occurs during this stage, an error message is printed and
+ the program terminates. The printf replacement used at this stage is
+ not protected from buffer overruns.
+      
+<p>References:
+<ul>
+<li><a href="http://ciac.llnl.gov/ciac/bulletins/h-86.shtml";>CIAC Bulletin
+h-86</a>
+</ul>
+
 <p>Fixes: ldso-1.8.11 or later
 </define-tag>
 
diff -u old/1libdb.wml new/1libdb.wml
--- old/1libdb.wml	Fri Aug 15 12:00:18 2003
+++ new/1libdb.wml	Wed Aug 13 07:54:01 2003
@@ -3,6 +3,16 @@
 Libdb includes version of snprintf() function with bound checking
 disabled.
 
+<p>From the libdb (1.85.4-4) changelog:<br>
+  * PORT/linux/Makefile: SECURITY FIX: don't build broken snprintf, which
+    ignores the bounds check, making programs which just *happen* to use
+    libdb vulnerable...
+
+<p>References:
+<ul>
+<li><a href="http://lists.insecure.org/lists/bugtraq/1997/Jul/0043.html";>BugTraq mail list - July 1997 (0043)</a>
+</ul>
+
 <p>Fixes: libdb 1.85.4-4 or later
 </define-tag>
 
diff -u old/1lynx.wml new/1lynx.wml
--- old/1lynx.wml	Fri Aug 15 12:00:18 2003
+++ new/1lynx.wml	Wed Aug 13 07:54:01 2003
@@ -2,6 +2,15 @@
 <define-tag moreinfo>
 Restricted/anonymous lynx users can execute arbitrary
 commands.
+
+<p>Also, conceivably, a malicious webmaster could cause lynx users to execute
+arbitrary commands.
+
+<p>References:
+<ul>
+<li><a href="http://www.cert.org/vendor_bulletins/VB-97.05.lynx";>CERT Vendor Bulletins - VB-97.05.lynx</a>
+<li><a href="http://www.ciac.org/ciac/bulletins/h-82.shtml";>CIAC Bulletin h-82</a>
+</ul>
 <p>Fixes: lynx 2.7.1-3 or later
 </define-tag>
 
diff -u old/1mgetty.wml new/1mgetty.wml
--- old/1mgetty.wml	Fri Aug 15 12:00:18 2003
+++ new/1mgetty.wml	Wed Aug 13 07:54:01 2003
@@ -2,6 +2,11 @@
 <define-tag moreinfo>
 Improper quoting of user data in mgetty allowed users to execute
 commands as root.
+
+<p>References:
+<ul>
+<li><a href="http://lists.insecure.org/lists/bugtraq/1997/Jul/0161.html";> BugTraq mail list - Jul 1997 (0161)
+</ul>
 </define-tag>
 
 
diff -u old/1modutils.wml new/1modutils.wml
--- old/1modutils.wml	Fri Aug 15 12:00:18 2003
+++ new/1modutils.wml	Wed Aug 13 07:54:01 2003
@@ -2,6 +2,14 @@
 <P>Note:<BR> Use of request-route is not recommended. The diald package
 provides the same functionality in a much better way. In a future kernel,
 support for request-route will be dropped.
+
+<p>References:
+<ul>
+<li><a href="http://www.securitybugware.org/Linux/658.html";>securitybugware.org - SBWID-658 </a>
+<li><a href="http://www.faqs.org/docs/Linux-mini/Kerneld.html";>Linux
+Kerneld mini-HOWTO (search for request-route)</a>
+</ul>
+
 </define-tag>
 <define-tag description>request-route used a lock file in /tmp</define-tag>
 
diff -u old/1parsecontrol.data new/1parsecontrol.data
--- old/1parsecontrol.data	Fri Aug 15 12:00:18 2003
+++ new/1parsecontrol.data	Wed Aug 13 08:48:01 2003
@@ -1,5 +1,6 @@
 <define-tag pagetitle>parse-control</define-tag>
 <define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1997-08</define-tag>
 <define-tag packages>inn</define-tag>
 <define-tag isvulnerable>no</define-tag>
 <define-tag fixed>Yes</define-tag>
diff -u old/1parsecontrol.wml new/1parsecontrol.wml
--- old/1parsecontrol.wml	Fri Aug 15 12:00:18 2003
+++ new/1parsecontrol.wml	Wed Aug 13 07:54:01 2003
@@ -1,6 +1,26 @@
 <define-tag moreinfo>
 </define-tag>
 <define-tag description>INN 1.5 parsecontrol</define-tag>
+<define-tag moreinfo>
+This vulnerability may allow remote users to execute arbitrary commands
+with the privileges of the user that manages the news server.
 
+<p>Quoting from CA-1997-08:<br>
+Remote, unauthorized users can execute arbitrary commands on the system
+with the same privileges as the innd (INN daemon) process.  Attacks may
+reach news servers located behind Internet firewalls.
+
+<p>Versions of INN prior to 1.5.1 are vulnerable.
+
+<p>The Debian entry from CA-1997-08:<br>
+The current version of INN shipped with Debian is 1.4unoff4.
+However the "unstable" (or development) tree contains inn-1.5.1.
+
+<p>References:
+<ul>
+<li><a href="http://www.cert.org/summaries/CS-97.02.html";> CERT Special Edition about news servers</a>
+</ul>
+
+</define-tag>
 # do not modify the following line
 #include '$(ENGLISHDIR)/security/undated/1parsecontrol.data'
diff -u old/1samba.wml new/1samba.wml
--- old/1samba.wml	Fri Aug 15 12:00:18 2003
+++ new/1samba.wml	Fri Aug 15 11:46:21 2003
@@ -1,6 +1,16 @@
 <define-tag description>remote root exploit</define-tag>
 <define-tag moreinfo>
 Problem with Samba allowed remote users to get root access.
+
+<p>An exploit has been posted on the internet and the vunerability is
+assumed to be actively exploited.
+
+<p>All versions of Samba prior to version 1.9.17p2 are vulnerable.
+
+<p>References:
+<ul>
+<li> <a href="http://www.cert.org/vendor_bulletins/VB-97.10.samba";>CERT Vendor Bulletin for Samba</a>
+</ul>
 </define-tag>
 
 # do not modify the following line
diff -u old/1sperl.data new/1sperl.data
--- old/1sperl.data	Fri Aug 15 12:00:18 2003
+++ new/1sperl.data	Wed Aug 13 08:48:01 2003
@@ -1,5 +1,6 @@
 <define-tag pagetitle>sperl</define-tag>
 <define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1997-17</define-tag>
 <define-tag packages>perl-suid</define-tag>
 <define-tag isvulnerable>yes</define-tag>
 <define-tag fixed>Yes</define-tag>
diff -u old/1sperl.wml new/1sperl.wml
--- old/1sperl.wml	Fri Aug 15 12:00:18 2003
+++ new/1sperl.wml	Wed Aug 13 07:54:02 2003
@@ -2,6 +2,12 @@
 
 <define-tag moreinfo>
 Users can gain root access with suidperl version 5.003.
+
+<p> If called with crafted parameters, a buffer overflow condition in
+suidperl could allow a user to execute arbitrary commands as root.
+
+<p> Unpatched versions of suidperl (sperl) 4.n and 5.n prior to 5.004, are
+vunerable.
 </define-tag>
 
 
diff -u old/1svgalib.wml new/1svgalib.wml
--- old/1svgalib.wml	Fri Aug 15 12:00:18 2003
+++ new/1svgalib.wml	Wed Aug 13 07:54:02 2003
@@ -1,6 +1,17 @@
 <define-tag description>local root exploit</define-tag>
 <define-tag moreinfo>
 svgalib didn't properly give up root privileges.
+
+<p>Quoting from the ksrt advisory:<br>
+svgalib 1.2.10 and below do not properly revoke privileges, and through
+the use of saved user ids, any svgalib application may still be vulnerable
+to buffer overruns(stack overwrites).
+
+<p>References: 
+<ul>
+<li> <a href="http://www.attrition.org/security/advisory/ksrt/ksrt.001.svgalib.zgv";>Attrition.org advisory ksrt.001</a>
+<li> <a href="http://lists.insecure.org/lists/bugtraq/1997/Jun/0128.html";>BugTraq mail list June 1997 (0128)</a>
+</ul>
 </define-tag>
 
 # do not modify the following line
diff -u old/1teardrop.data new/1teardrop.data
--- old/1teardrop.data	Fri Aug 15 12:00:18 2003
+++ new/1teardrop.data	Wed Aug 13 08:48:01 2003
@@ -1,5 +1,6 @@
 <define-tag pagetitle>teardrop</define-tag>
 <define-tag report_date>undated</define-tag>
+<define-tag secrefs>CA-1997-28</define-tag>
 <define-tag packages>kernel-package</define-tag>
 <define-tag isvulnerable>yes</define-tag>
 <define-tag fixed>Yes</define-tag>

Reply to:

Follow-Ups:
- Re: Web Pages TODO List - Security
  - From: Matt Kraai <kraai@alumni.cmu.edu>

Prev by Date: Re: packages search is broken
Next by Date: 10th anniversary French translation (?)
Previous by thread: Re: Web Pages TODO List - Security
Next by thread: Re: Web Pages TODO List - Security
Index(es):
- Date
- Thread