[LWN Logo]
Date: Wed, 15 Nov 2000 15:36:30 +0100 (MET)
From: Roman Drahtmueller <draht@suse.de>
To: suse-security-announce@suse.de
Subject: [suse-security-announce] SuSE: miscellaneous


SuSE: miscellaneous                15:30 MET, Wednesday, November 15 2000

This notice addresses the latest security advisories from various Linux
vendors as well as private contributors on public security forums. The
issues have been collected to keep the noise on the public security 
forums at a reduced level.

The information herein should be considered both background as well as 
upgrade information (please read carefully).

        1) SuSE security staff

        2) packages:
                gpg     (update information)
                bind8   (status: update avail, announcement pending)
                pine    (status: testing new version 4.30)
                dump    (status: not vulnerable)
                phf     (status: not vulnerable)
                gs      (status: pending)
                global  (status: building)
                crontab (status: not vulnerable)
                vlock   (status: not vulnerable)
                tcpdump (status: update avail, testing)
                tcsh    (status: update+announcement pending)
                modules (status: more updates for older distributions)

1) SuSE security staff

SuSE welcomes security professional Sebastian Krahmer <krahmer@suse.de>
aboard the SuSE security team. His name has already been on top of the
last SuSE security announcement about the security problems in the modules
package. Enlarging the capacity of the security team, Sebastian will be
busy fixing security problems, auditing code and maintaining security-
related software. More security announcements from him will be seen in the

2) packages

* gpg

  GnuPG may erroneously recognize a file/mail to be correctly signed, if
  there are multiple signatures and the file/mail has been modified.
  This bug affects all GnuPG versions prior to and including 1.0.3. It has
  been fixed in version 1.0.4. Updated packages are available on our
  German ftp server (as well as its mirrors) for the SuSE distributions
  6.3, 6.4 and 7.0. Please note that the gpg packages for the SuSE-7.0
  distribution have an addon, called gpgaddon. It contains
  implementations of cipher algorythms that require licenses in many
  countries due to software patents. Those gpgaddon packages are not
  listed below.
  There will not be a security announcement for this package - the
  privacy risk for users of the old package is considerably small.
  You can update your installed packages using the command
    rpm -Uhv <URL-to-file>
  where <URL-to-file> is one of the following FTP URLs to chose from.

  Please use the SuSE Linux mirrors as listed at
  http://www.suse.de/de/support/download/ftp/inland.html .

  The md5sums for the files on the ftp server are:

  i386 Intel Platform

  source rpm:

  source rpm:

  source rpm:

  Sparc Platform

  source rpm:

  PPC Power PC platform

  source rpm:

  source rpm:

  AXP Alpha Platform

  source rpm:

  source rpm:


* bind8

  BIND, the Berkeley Internet Name Daemon, versions before 8.2.2p7, has
  been found vulnerable to two denial of service attacks: named may crash
  after a compressed zone transfer request and if an SRV record (defined
  in RFC2782) is sent to the server. SuSE versions 6.0 through 6.4 are
  affected by this problem. The bind8 package in SuSE-7.0 is not
  susceptible to the problems because a different version of bind8 has
  been used in this distribution.

  A temporary workaround against the first error is to disable zone
  transfers if those are not needed (it is recommended for security
  reasons, and the default configuration in our package has zone transfers
  disabled.). Since the second bug can't be circumvented so easily, it is
  recommended to upgrade the bind8 package as soon as possible.
  Recognizing the urgency of this issue, the updated packages are on their
  way to the ftp server right now. An announcement covering the issue will
  follow this notice.

* pine

  The popular text-based mail user agent is vulnerable to a buffer
  overflow in the portion of code that periodically checks for the arrival
  of new mail. In addition, there is an error in the header parsing code
  which could lead to a crash of the mail program.
  The authors of pine (University of Washington, Seattle, see
  http://www.washington.edu/pine/credits.html) have published a new version
  of the pine package that should fix the known problems. During testing,
  several instabilities of the program have been observed so that we
  have delayed the release of the updated version. Additional patches are
  being tested right now so that the release of the new version 4.30 can
  be expected within days.

* dump

  The Linux implementation of the ext2fs backup utility "dump" can be
  tricked into running arbitrary commands as root in case it is installed
  setuid root. dump is not installed suid root in SuSE Linux releases 6.0
  through (the most recent) 7.0 because there is no convincing reason to
  do so. Therefore, SuSE Linux is not vulnerable to this problem with
  the dump program.

* phf cgi program

  proton <proton@ENERGYMECH.NET> has discovered a buffer overflow that can
  lead the phf cgi program to execute arbitrary code with the privileges
  of the user that the webserver is running under. SuSE distributions
  contain a cgi program that is called phf, it is included in the thttpd
  package. Installed under /usr/local/httpd/htdocs/cgi-bin/phf, this
  program is a booby trap that logs attackers intending to exploit
  formerly known bugs of the phf program. By consequence, SuSE
  distributions are not vulnerable to the buffer overflow in the phf

* gs

  The Ghostscript program in SuSE distributions runtime-links against
  shared libraries in the current working directory if a shared library
  with the adequate name is present. The problem is created by exporting
  the environment variable LD_RUN_PATH at linking time during the package
  compile process. Later, at runtime linking, the runtime linker
  ld-linux.so.2 will try to open ./libc.so.6. If this fails, the linker
  will continue searching the usual paths to find the library.
  Basically, this means that users should call gs as well as all programs
  using gs (such as gv or ghostview) in a directory that is only
  writeable by the user calling gs. It is expected that more Linux
  distributions (other than SuSE Linux) and possibly commercial unix
  vendors as well are affected by this problem. In future versions of the
  SuSE Linux distribution, this problem will be fixed.

* global

  htags, one program within the global package, is a hypertext generator
  from C, Yacc and Java source code. The "-f" option generates a cgi
  script as an input form backend that is vulnerable to a simple remote
  attack if the script is executable by a webserver. Remote attackers can
  run arbitrary commands under the user privileges of the webserver.
  The global package is not installed per default, nor is the bug present
  in the "installed-only" state of the package. However, if you use the
  program and the "-f" option of htags, it is recommended to upgrade the
  package as soon as possible. We are working on the update packages.

* crontab

  A tmp file vulnerability has been found in various implementations of
  the crontab(1) command. SuSE Linux is not affected by this problem.

* vlock

  vlock is a terminal locking program for the Linux virtual system
  console. It has been reported by Bartlomiej Grzybicki 
  <bgrzybicki@morliny.pl> that it is possible to crash a running vlock and
  thus giving access to a console without a password. However, the
  conditions under which the failure happens are not clear.
  SuSE distributions are not concerned because the vlock program is not
  included in the distribution.

* tcpdump

  Several buffer overflows have been found in the tcpdump program, a
  network analysis program, according to FreeBSD Security Advisory
  FreeBSD-SA-00:61.tcpdump. The vulnerability can be used to remotely crash
  a running tcpdump program. Since the version of tcpdump included in SuSE
  distributions is not capable of decoding AFS ACL packets, this particular
  part of the bugs does not concern SuSE Linux. Though, some intrusion
  detection systems rely on tcpdump's output so that a proper operation of
  the tcpdump program is crutial.
  There are updates packages available for download on our ftp server
  which fix the vulnerability. The security announcement is pending while
  we're still testing the packages.

* tcsh

  proton <proton@ENERGYMECH.NET> has found a temporary file vulnerability
  in the portion of code in the tcsh that handles redirects of the form
        cat << END_OF_TEXT
  With this vulnerability in place, it is possible for an attacker to
  overwrite arbitrary files with the privileges of the user of tcsh.
  There is no fix for this problem other than an upgrade to a fixed
  version which will be available on our ftp server shortly. An advisory
  covering this matter will follow.

* modules/modutils

  Sebastian Krahmer <krahmer@suse.de> has issued a SuSE security
  announcement about the shell meta character expansion vulnerability in
  the modprobe program that is responsible for the automatic loading of
  kernel modules upon request. In addition to the update packages for
  the vulnerable versions of the SuSE distribution, we will provide
  updates for the older distributions (6.0-6.3) shortly, even though
  these distributions have not been found vulnerable to the modprobe
  problem. The rpm packages can be found at the usual location shortly. 

Roman Drahtmüller,
SuSE Security.
- -- 
 -                                                                      -
| Roman Drahtmüller      <draht@suse.de> //          "Caution: Cape does |
  SuSE GmbH - Security           Phone: //       not enable user to fly."
| Nürnberg, Germany     +49-911-740530 // (Batman Costume warning label) |
 -                                                                      -

Version: 2.6.3i
Charset: noconv


To unsubscribe, e-mail: suse-security-announce-unsubscribe@suse.com
For additional commands, e-mail: suse-security-announce-help@suse.com