[ESA-20010621-01] xinetd updates

From:	 EnGarde Secure Linux <security@guardiandigital.com>
To:	 engarde-security@guardiandigital.com, bugtraq@securityfocus.com
Subject: [ESA-20010621-01]  xinetd updates
Date:	 Fri, 29 Jun 2001 09:59:31 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------+
| EnGarde Secure Linux Security Advisory                   June 21, 2001 |
| http://www.engardelinux.org/                           ESA-20010621-01 |
|                                                                        |
| Package:  xinetd                                                       |
| Summary:  There are various bugs and security issues in the version of |
|           xinetd that shipped with EnGarde Secure Linux 1.0.1.         |
+------------------------------------------------------------------------+

  EnGarde Secure Linux is a secure distribution of Linux that features
  improved access control, host and network intrusion detection, Web
  based secure remote management, complete e-commerce using AllCommerce,
  and integrated open source security tools.


OVERVIEW
- --------
  There are bugs (both security and non-security) in xinetd.  The
  non-security bug causes xinetd to fail after the first connection
  attempt and the security bug can potentially lead to a root comprimise
  via a buffer overflow.


DETAIL
- ------
  The first bug is a non-security one.  There were several reports on the
  engarde-users mailing list of vsftpd only accepting the first connection
  and dropping all subsequent ones.  The users had a "Bad address" entry
  from xinetd in their logs.  Rob Braun explains this problem:

    "The specific bug is in libs/src/misc/env.c, in the environment
     handling.  The grow() function does a realloc() to extend the
     existing memory.  The memory returned by realloc() is in an undefined
     state, and that's what is causing the bad address." 

  This bug was fixed by upgrading to version 2.1.8.9pre15.

  The other bugs are as follows:

    1) xinetd was setting its umask to 0.  Thus, any children of xinetd
       would inherit this umask.  This is not much of a security issue
       because the only service that is run out of xinetd is vsftpd, which
       sets its own umask (027 by default).

    2) There was a buffer overflow in the logging code that could
       potentially allow a remote attacker to obtain root privileges by
       sending a very long username string in response to an ident
       request.  This bug was found by zen-parse@gmx.net.

  Both of these bugs were fixed by upgrading to version 2.1.8.9pre16.

  Additionally, this version disables ident checking by default in
  xinetd.conf.  If you would like to disable ident checking completely
  (which is recommended), you should remove the "USERID" option from the
  "log_on_success" and "log_on_failure" lines of /etc/xinetd.d/ftp.


SOLUTION
- --------
  All users should upgrade to the most recent version, as outlined in
  this advisory.  All updates can be found at:

    ftp://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.engardelinux.org/pub/engarde/stable/updates/
    http://ftp.ibiblio.org/pub/linux/distributions/engarde/stable/updates/

  Before upgrading the package, the machine must either:

    a) be booted into a "standard" kernel; or
    b) have LIDS disabled.

  To disable LIDS, execute the command:

    # /sbin/lidsadm -S -- -LIDS_GLOBAL

  To install the updated package, execute the command:

    # rpm -Uvh <filename>

  Once the updated package is installed, you need to restart xinetd:

    # /etc/init.d/xinetd restart

  To re-enable LIDS (if it was disabled), execute the command:

    # /sbin/lidsadm -S -- +LIDS_GLOBAL

  To verify the signature of the updated packages, execute the command:

    # rpm -Kv <filename>


UPDATED PACKAGES
- ----------------
  These updated packages are for EnGarde Secure Linux 1.0.1 (Finestra).

  Source Packages:

    SRPMS/xinetd-2.1.8.9pre16-1.0.17.src.rpm
      MD5 Sum:  118787db019ca76f44dc00cdca67c36e

  Binary Packages:

    i386/xinetd-2.1.8.9pre16-1.0.17.i386.rpm
      MD5 Sum:  a48c022c82055db97f415f3f18bdefcf

    i686/xinetd-2.1.8.9pre16-1.0.17.i686.rpm
      MD5 Sum:  cc3e2a218918a1ff2c107b68d7cbe8b2



REFERENCES
- ----------

  Guardian Digital's public key:
    http://ftp.engardelinux.org/pub/engarde/ENGARDE-GPG-KEY

  xinetd's Official Web Site:
    http://www.xinetd.org/


- --------------------------------------------------------------------------
$Id: ESA-20010621-01-xinetd,v 1.2 2001/06/29 13:56:38 rwm Exp $
- --------------------------------------------------------------------------
Author: Ryan W. Maple, <ryan@guardiandigital.com> 
Copyright 2001, Guardian Digital, Inc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7PInLHD5cqd57fu0RAgkGAJ0ReyjI3b+hz9tQBJWFedmkd+u1GgCfcFVh
K2dMdDUDg2TQaPr3sHkRR/E=
=3Xm5
-----END PGP SIGNATURE-----