February 2005
Three Gentoo Linux Security Advisory: 1. GLSA 200502-11 - Mailman: Directory traversal vulnerability 2. GLSA 200502-12 - Webmin: Information leak in Gentoo binary package 3. GLSA 200502-13 - Perl: Vulnerabilities in perl-suid wrapper
ID: 00130
Ref: 113/2005
Date: 14 February 2005:13:34:25
Version: 1
Title: Three Gentoo Linux Security Advisory: 1. GLSA 200502-11 - Mailman: Directory traversal vulnerability 2. GLSA 200502-12 - Webmin: Information leak in Gentoo binary package 3. GLSA 200502-13 - Perl: Vulnerabilities in perl-suid wrapper
Abstract:
Vendors affected: Gentoo
Operating systems affected: Gentoo
Applications affected: Gentoo
Title
=====
Three Gentoo Linux Security Advisory:
1. GLSA 200502-11 - Mailman: Directory traversal vulnerability
2. GLSA 200502-12 - Webmin: Information leak in Gentoo binary package
3. GLSA 200502-13 - Perl: Vulnerabilities in perl-suid wrapper
Detail
======
1. Mailman contains an error in private.py which fails to properly sanitize
input paths.
2. Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that
the Webmin ebuild contains a design flaw. It imports the encrypted local
root password into the miniserv.users file before building binary packages
that include this file.
3. perl-suid scripts honor the PERLIO_DEBUG environment variable and
write to that file with elevated privileges (CAN-2005-0155).
Furthermore, calling a perl-suid script with a very long path while
PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156).
1.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200502-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Mailman: Directory traversal vulnerability
Date: February 10, 2005
Bugs: #81109
ID: 200502-11
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Mailman fails to properly sanitize input, leading to information disclosure.
Background
==========
Mailman is a Python-based mailing list server with an extensive web interface.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 net-mail/mailman < 2.1.5-r4 >= 2.1.5-r4
Description
===========
Mailman contains an error in private.py which fails to properly sanitize
input paths.
Impact
======
An attacker could exploit this flaw to obtain arbitrary files on the
web server.
Workaround
==========
There is no known workaround at this time.
Resolution
==========
All Mailman users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/mailman-2.1.5-r4"
References
==========
[ 1 ] Full Disclosure Announcement
http://lists.netsys.com/pipermail/full-disclosure/2005-February/031562.html
[ 2 ] CAN-2005-0202
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0202
Availability
============
This GLSA and any updates to it are available for viewing at the Gentoo
Security Website:
http://security.gentoo.org/glsa/glsa-200502-11.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the confidentiality
and security of our users machines is of utmost importance to us. Any
security concerns should be addressed to security@gentoo.org or alternatively,
you may file a bug at http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
2.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200502-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: Webmin: Information leak in Gentoo binary package
Date: February 11, 2005
Bugs: #77731
ID: 200502-12
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Portage-built Webmin binary packages accidentally include a file containing
the local encrypted root password.
Background
==========
Webmin is a web-based system administration console allowing an administrator
to easily configure servers and other features. Using the 'buildpkg' FEATURE,
or the -b/-B emerge options, Portage can build reusable binary packages for
any of the packages available through the Portage tree.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-admin/webmin < 1.170-r3 >= 1.170-r3
Description
===========
Tavis Ormandy of the Gentoo Linux Security Audit Team discovered that
the Webmin ebuild contains a design flaw. It imports the encrypted local
root password into the miniserv.users file before building binary packages
that include this file.
Impact
======
A remote attacker could retrieve Portage-built Webmin binary packages and
recover the encrypted root password from the build host.
Workaround
==========
Users who never built or shared a Webmin binary package are unaffected by
this.
Resolution
==========
Webmin users should delete any old shared Webmin binary package as soon as
possible. They should also consider their buildhost root password potentially
exposed and follow proper audit procedures.
If you plan to build binary packages, you should upgrade to the latest
version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=app-admin/webmin-1.170-r3"
Availability
============
This GLSA and any updates to it are available for viewing at the Gentoo
Security Website:
http://security.gentoo.org/glsa/glsa-200502-12.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost importance
to us. Any security concerns should be addressed to security@gentoo.org or
alternatively, you may file a bug at http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0
3.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: Perl: Vulnerabilities in perl-suid wrapper
Date: February 11, 2005
Bugs: #80460
ID: 200502-13
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Synopsis
========
Vulnerabilities leading to file overwriting and code execution with
elevated privileges have been discovered in the perl-suid wrapper.
Background
==========
Perl is a stable, cross-platform programming language created by Larry
Wall. The perl-suid wrapper allows the use of setuid perl scripts, i.e.
user-callable Perl scripts which have elevated privileges. This function
is enabled only if you have the perlsuid USE flag set.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 dev-lang/perl < 5.8.6-r3 >= 5.8.6-r3
*>= 5.8.5-r4
*>= 5.8.4-r3
*>= 5.8.2-r3
Description
===========
perl-suid scripts honor the PERLIO_DEBUG environment variable and
write to that file with elevated privileges (CAN-2005-0155).
Furthermore, calling a perl-suid script with a very long path while
PERLIO_DEBUG is set could trigger a buffer overflow (CAN-2005-0156).
Impact
======
A local attacker could set the PERLIO_DEBUG environment variable and call
existing perl-suid scripts, resulting in file overwriting and potentially
the execution of arbitrary code with root privileges.
Workaround
==========
You are not vulnerable if you do not have the perlsuid USE flag set or do
not use perl-suid scripts.
Resolution
==========
All Perl users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose dev-lang/perl
References
==========
[ 1 ] CAN-2005-0155
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0155
[ 2 ] CAN-2005-0156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0156
Availability
============
This GLSA and any updates to it are available for viewing at the
Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-200502-13.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.
License
=======
Copyright 2005 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.0