December 2005
Three Gentoo Security Advisories: 1. GLSA 200512-01 - Perl: Format string errors can lead to code execution 2. GLSA 200512-02 - Webmin, Usermin: Format string vulnerability 3. GLSA 200512-03 - phpMyAdmin: Multiple vulnerabilities
ID: 01082
Ref: 1017/2005
Date: 12 December 2005:15:19:11
Version: 1
Title: Three Gentoo Security Advisories: 1. GLSA 200512-01 - Perl: Format string errors can lead to code execution 2. GLSA 200512-02 - Webmin, Usermin: Format string vulnerability 3. GLSA 200512-03 - phpMyAdmin: Multiple vulnerabilities
Abstract:
Vendors affected: Gentoo
Operating systems affected: Gentoo
Applications affected: Gentoo
Title
=====
Three Gentoo Security Advisories:
1. GLSA 200512-01 - Perl: Format string errors can lead to code execution
2. GLSA 200512-02 - Webmin, Usermin: Format string vulnerability
3. GLSA 200512-03 - phpMyAdmin: Multiple vulnerabilities
Detail
======
1. Jack Louis discovered a new way to exploit format string errors in Perl
that could lead to the execution of arbitrary code. This is perfomed by
causing an integer wrap overflow in the efix variable inside the
function Perl_sv_vcatpvfn. The proposed fix closes that specific
exploitation vector to mitigate the risk of format string programming
errors in Perl. This fix does not remove the need to fix such errors in
Perl code.
2. Jack Louis discovered that the Webmin and Usermin "miniserv.pl" web
server component is vulnerable to a Perl format string vulnerability.
Login with the supplied username is logged via the Perl "syslog"
facility in an unsafe manner.
3. Stefan Esser from Hardened-PHP reported about multiple vulnerabilties
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
1.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200512-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Perl: Format string errors can lead to code execution
Date: December 07, 2005
Bugs: #114113
ID: 200512-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
A fix is available for Perl to mitigate the effects of format string
programming errors, that could otherwise be exploited to execute
arbitrary code.
Background
==========
Perl is a stable, cross-platform programming language created by Larry
Wall. It contains printf functions that allows construction of strings
from format specifiers and parameters, like the C printf functions. A
well-known class of vulnerabilities, called format string errors,
result of the improper use of the printf functions in C. Perl in itself
is vulnerable to a limited form of format string errors through its own
sprintf function, especially through wrapper functions that call
sprintf (for example the syslog function) and by taking advantage of
Perl powerful string expansion features rather than using format string
specifiers.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.8.7-r3 >= 5.8.7-r3
*>= 5.8.6-r8
Description
===========
Jack Louis discovered a new way to exploit format string errors in Perl
that could lead to the execution of arbitrary code. This is perfomed by
causing an integer wrap overflow in the efix variable inside the
function Perl_sv_vcatpvfn. The proposed fix closes that specific
exploitation vector to mitigate the risk of format string programming
errors in Perl. This fix does not remove the need to fix such errors in
Perl code.
Impact
======
Perl applications making improper use of printf functions (or derived
functions) using untrusted data may be vulnerable to the already-known
forms of Perl format string exploits and also to the execution of
arbitrary code.
Workaround
==========
Fix all misbehaving Perl applications so that they make proper use of
the printf and derived Perl functions.
Resolution
==========
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/perl
References
==========
[ 1 ] CVE-2005-3962
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3962
[ 2 ] Dyad Security Advisory
http://www.dyadsecurity.com/perl-0002.html
[ 3 ] Research on format string errors in Perl
http://www.securityfocus.com/archive/1/418460/30/30
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200512-01.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
2.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200512-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Webmin, Usermin: Format string vulnerability
Date: December 07, 2005
Bugs: #113888
ID: 200512-02
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Webmin and Usermin are vulnerable to a format string vulnerability
which may lead to the execution of arbitrary code.
Background
==========
Webmin is a web-based interface for Unix-like systems. Usermin is a
simplified version of Webmin designed for use by normal users rather
than system administrators.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/webmin < 1.250 >= 1.250
2 app-admin/usermin < 1.180 >= 1.180
-------------------------------------------------------------------
2 affected packages on all of their supported architectures.
-------------------------------------------------------------------
Description
===========
Jack Louis discovered that the Webmin and Usermin "miniserv.pl" web
server component is vulnerable to a Perl format string vulnerability.
Login with the supplied username is logged via the Perl "syslog"
facility in an unsafe manner.
Impact
======
A remote attacker can trigger this vulnerability via a specially
crafted username containing format string data. This can be exploited
to consume a large amount of CPU and memory resources on a vulnerable
system, and possibly to execute arbitrary code of the attacker's choice
with the permissions of the user running Webmin.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Webmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.250"
All Usermin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/usermin-1.180"
References
==========
[ 1 ] CVE-2005-3912
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3912
[ 2 ] Dyad Security Advisory
http://www.dyadsecurity.com/webmin-0001.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200512-02.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
3.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200512-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: phpMyAdmin: Multiple vulnerabilities
Date: December 11, 2005
Bugs: #114662
ID: 200512-03
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Multiple flaws in phpMyAdmin may lead to several XSS issues and local
and remote file inclusion vulnerabilities.
Background
==========
phpMyAdmin is a tool written in PHP intended to handle the
administration of MySQL over the web.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-db/phpmyadmin < 2.7.0_p1 >= 2.7.0_p1
Description
===========
Stefan Esser from Hardened-PHP reported about multiple vulnerabilties
found in phpMyAdmin. The $GLOBALS variable allows modifying the global
variable import_blacklist to open phpMyAdmin to local and remote file
inclusion, depending on your PHP version (CVE-2005-4079, PMASA-2005-9).
Furthermore, it is also possible to conduct an XSS attack via the
$HTTP_HOST variable and a local and remote file inclusion because the
contents of the variable are under total control of the attacker
(CVE-2005-3665, PMASA-2005-8).
Impact
======
A remote attacker may exploit these vulnerabilities by sending
malicious requests, causing the execution of arbitrary code with the
rights of the user running the web server. The cross-site scripting
issues allow a remote attacker to inject and execute malicious script
code or to steal cookie-based authentication credentials, potentially
allowing unauthorized access to phpMyAdmin.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All phpMyAdmin users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/phpmyadmin-2.7.0_p1"
References
==========
[ 1 ] CVE-2005-3665
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3665
[ 2 ] CVE-2005-4079
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4079
[ 3 ] PMASA-2005-8
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-8
[ 4 ] PMASA-2005-9
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-9
[ 5 ] Hardened-PHP Advisory 25/2005
http://www.hardened-php.net/advisory_252005.110.html
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200512-03.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0