November 2005
Four Gentoo Linux Security Advisories
ID: 01015
Ref: 952/2005
Date: 14 November 2005:12:20:30
Version: 1
Title: Four Gentoo Linux Security Advisories
Abstract:
Vendors affected: Gentoo
Operating systems affected: Gentoo
Applications affected: Gentoo
Title
=====
Four Gentoo Linux Security Advisories:
1. GLSA 200511-08 - PHP: Multiple vulnerabilities
2. GLSA 200511-09 - Lynx: Arbitrary command execution
3. GLSA 200511-10 - RAR: Format string and buffer overflow vulnerabilities
4. GLSA 200511-11 - linux-ftpd-ssl: Remote buffer overflow
Detail
======
1. Multiple vulnerabilities have been found and fixed in PHP:
* a possible $GLOBALS variable overwrite problem through file upload
handling, extract() and import_request_variables() (CVE-2005-3390)
* a local Denial of Service through the use of the session.save_path
option (CVE-2005-3319).......
2. iDefense labs discovered a problem within the feature to execute local
cgi-bin programs via the "lynxcgi:" URI handler. Due to a configuration
error, the default settings allow websites to specify commands to run
as the user running Lynx.
3. Tan Chew Keong reported about two vulnerabilities found in RAR:
* A format string error exists when displaying a diagnostic error
message that informs the user of an invalid filename in an UUE/XXE
encoded file.
* Some boundary errors in the processing of malicious ACE archives
can be exploited to cause a buffer overflow.
4. A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer.
1.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: PHP: Multiple vulnerabilities
Date: November 13, 2005
Bugs: #107602, #111032
ID: 200511-08
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
PHP suffers from multiple issues, resulting in security functions
bypass, local Denial of service, cross-site scripting or PHP variables
overwrite.
Background
==========
PHP is a general-purpose scripting language widely used to develop
web-based applications. It can run inside a web server using the
mod_php module or the CGI version and also stand-alone in a CLI.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-php/php < 4.4.0-r4 *>= 4.3.11-r4
>= 4.4.0-r4
2 dev-php/mod_php < 4.4.0-r8 *>= 4.3.11-r4
>= 4.4.0-r8
3 dev-php/php-cgi < 4.4.0-r5 *>= 4.3.11-r5
>= 4.4.0-r5
-------------------------------------------------------------------
3 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Multiple vulnerabilities have been found and fixed in PHP:
* a possible $GLOBALS variable overwrite problem through file upload
handling, extract() and import_request_variables() (CVE-2005-3390)
* a local Denial of Service through the use of the session.save_path
option (CVE-2005-3319)
* an issue with trailing slashes in allowed basedirs (CVE-2005-3054)
* an issue with calling virtual() on Apache 2, allowing to bypass
safe_mode and open_basedir restrictions (CVE-2005-3392)
* a problem when a request was terminated due to memory_limit
constraints during certain parse_str() calls (CVE-2005-3389)
* The curl and gd modules allowed to bypass the safe mode
open_basedir restrictions (CVE-2005-3391)
* a cross-site scripting (XSS) vulnerability in phpinfo()
(CVE-2005-3388)
Impact
======
Attackers could leverage these issues to exploit applications that are
assumed to be secure through the use of proper register_globals,
safe_mode or open_basedir parameters. Remote attackers could also
conduct cross-site scripting attacks if a page calling phpinfo() was
available. Finally, a local attacker could cause a local Denial of
Service using malicious session.save_path options.
Workaround
==========
There is no known workaround that would solve all issues at this time.
Resolution
==========
All PHP users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-php/php
All mod_php users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-php/mod_php
All php-cgi users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-php/php-cgi
References
==========
[ 1 ] CVE-2005-3054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3054
[ 2 ] CVE-2005-3319
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3319
[ 3 ] CVE-2005-3388
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3388
[ 4 ] CVE-2005-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3389
[ 5 ] CVE-2005-3390
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3390
[ 6 ] CVE-2005-3391
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3391
[ 7 ] CVE-2005-3392
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3392
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200511-08.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
2.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Lynx: Arbitrary command execution
Date: November 13, 2005
Bugs: #112213
ID: 200511-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Lynx is vulnerable to an issue which allows the remote execution of
arbitrary commands.
Background
==========
Lynx is a fully-featured WWW client for users running
cursor-addressable, character-cell display devices such as vt100
terminals and terminal emulators.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 www-client/lynx < 2.8.5-r2 >= 2.8.5-r2
Description
===========
iDefense labs discovered a problem within the feature to execute local
cgi-bin programs via the "lynxcgi:" URI handler. Due to a configuration
error, the default settings allow websites to specify commands to run
as the user running Lynx.
Impact
======
A remote attacker can entice a user to access a malicious HTTP server,
causing Lynx to execute arbitrary commands.
Workaround
==========
Disable "lynxcgi" links by specifying the following directive in
lynx.cfg:
TRUSTED_LYNXCGI:none
Resolution
==========
All Lynx users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=www-client/lynx-2.8.5-r2"
References
==========
[ 1 ] CVE-2005-2929
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2929
[ 2 ] iDefense Security Advisory 11.11.05
http://www.idefense.com/application/poi/display?id=338&type=vulnerabilities
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200511-09.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
3.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: RAR: Format string and buffer overflow vulnerabilities
Date: November 13, 2005
Bugs: #111926
ID: 200511-10
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
RAR contains a format string error and a buffer overflow vulnerability
that may be used to execute arbitrary code.
Background
==========
RAR is a powerful archive manager that can decompress RAR, ZIP and
other files, and can create new archives in RAR and ZIP file format.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-arch/rar < 3.5.1 >= 3.5.1
Description
===========
Tan Chew Keong reported about two vulnerabilities found in RAR:
* A format string error exists when displaying a diagnostic error
message that informs the user of an invalid filename in an UUE/XXE
encoded file.
* Some boundary errors in the processing of malicious ACE archives
can be exploited to cause a buffer overflow.
Impact
======
A remote attacker could exploit these vulnerabilities by enticing a
user to:
* decode a specially crafted UUE/XXE file, or
* extract a malicious ACE archive containing a file with an overly
long filename.
When the user performs these actions, the arbitrary code of the
attacker's choice will be executed.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All RAR users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-arch/rar-3.5.1"
References
==========
[ 1 ] RAR Release Notes
http://www.rarlabs.com/rarnew.htm
[ 2 ] Secunia Research 11/10/2005
http://secunia.com/secunia_research/2005-53/advisory/
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200511-10.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
4.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200511-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: linux-ftpd-ssl: Remote buffer overflow
Date: November 13, 2005
Bugs: #111573
ID: 200511-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A buffer overflow vulnerability has been found, allowing a remote
attacker to execute arbitrary code with escalated privileges on the
local system.
Background
==========
linux-ftpd-ssl is the netkit FTP server with encryption support.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-ftp/ftpd < 0.17-r3 >= 0.17-r3
Description
===========
A buffer overflow vulnerability has been found in the linux-ftpd-ssl
package. A command that generates an excessively long response from the
server may overrun a stack buffer.
Impact
======
An attacker that has permission to create directories that are
accessible via the FTP server could exploit this vulnerability.
Successful exploitation would execute arbitrary code on the local
machine with root privileges.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All ftpd users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-ftp/ftpd-0.17-r3"
References
==========
[ 1 ] CVE-2005-3524
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3524
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200511-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0