Date: 21 Dec 2004 21:21:28 -0000
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #215
SecurityFocus Linux Newsletter #215
------------------------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------
I. FRONT AND CENTER
     1. Zero Viruses In 2005?
II. LINUX VULNERABILITY SUMMARY
     1. Opera Web Browser Download Dialogue Box File Name Spoofing V...
     2. Citadel/UX Network Data Logging Remote Format String Vulnera...
     3. PhpDig Unspecified Remote Vulnerability
     4. SugarSales Multiple Remote Vulnerabilities
     5. SQLgrey Postfix Greylisting Service Unspecified SQL Injectio...
     6. Opera Web Browser KDE KFMCLIENT Remote Command Execution Vul...
     7. Linux NFS 64-Bit Architecture Remote Buffer Overflow Vulnera...
     8. ZGV Image Viewer Animated GIF Remote Memory Corruption Vulne...
     9. Linux Kernel IGMP Multiple Vulnerabilities
     10. Sun Java System Web And Application Server Remote Session 
Di...
     11. Linux Kernel SCM_SEND Local Denial of Service Vulnerability
     12. Adobe Acrobat Reader Email Message Remote Buffer Overflow 
Vu...
     13. Linux Kernel Local DRM Denial Of Service Vulnerability
     14. Linux Kernel PROC Filesystem Local Information Disclosure 
Vu...
     15. Linux Kernel Sys32_NI_Syscall/Sys32_VM86_Warning Local 
Buffe...
     16. Linux Kernel Sock_DGram_SendMsg Local Denial Of Service 
Vuln...
     17. Vim Modelines Arbitrary Command Execution Variant 
Vulnerabil...
     18. Novell NetMail Multiple Remote Vulnerabilities
     19. Ethereal Multiple Unspecified Denial of Service and 
Potentia...
     20. Linux Kernel Multiple Local Vulnerabilities
     21. ChBg Scenario File Overflow Vulnerability
     22. MPG123 Find Next File Remote Client-Side Buffer Overflow 
Vul...
     23. IglooFTP Server Response Download Filename File Corruption 
V...
     24. IglooFTP File Upload Insecure Temporary File Vulnerability
     25. MPlayer MMST Get_Header Remote Client-Side Buffer Overflow 
V...
     26. PHP Multiple Local And Remote Vulnerabilities
     27. TNFTP FTP Client Directory Traversal Vulnerability
     28. Xine-Lib Remote Client-Side Buffer Overflow Vulnerability
     29. Samba Directory Access Control List Remote Integer Overflow 
...
     30. Yanf HTTP Response Buffer Overflow Vulnerability
     31. JPegToAvi File List Buffer Overflow Vulnerability
     32. Vilistextum HTML Attribute Parsing Buffer Overflow 
Vulnerabi...
     33. 2Fax Tab Expansion Buffer Overflow Vulnerability
     34. PHP Multiple Remote Vulnerabilities
     35. MPlayer And Xine-Lib Multiple Remote Client-Side Buffer 
Over...
     36. QwikMail HELO Command Buffer Overflow Vulnerability
     37. NASM Error Preprocessor Directive Buffer Overflow 
Vulnerabil...
     38. PHP JPEG Image Buffer Overflow Vulnerability
     39. NetBSD Multiple Local Unspecified Binary Compatibility 
Layer...
     40. YAMT ID3 Tag Sort Command Execution Vulnerability
     41. O3Read HTML Parser Buffer Overflow Vulnerability
     42. HTML2HDML File Conversion Buffer Overflow Vulnerability
     43. Easy Software Products LPPassWd CUPS Password File 
Truncatio...
     44. Easy Software Products LPPassWd Resource Limit Denial Of 
Ser...
     45. ASP2PHP Preparse Token Variable Buffer Overflow 
Vulnerabilit...
     46. ASP2PHP Preparse Temp Variable Buffer Overflow Vulnerability
     47. UML_Utilities UML_Net Slip Network Interface Denial Of 
Servi...
     48. ABC2MTEX Process ABC Key Field Buffer Overflow Vulnerability
     49. ABCPP Directive Handler Buffer Overflow Vulnerability
     50. ABC2PS/JCABC2PS Voice Field Buffer Overflow Vulnerability
III. LINUX FOCUS LIST SUMMARY
     1. *nix data wipe tools (Thread)
IV. NEW PRODUCTS FOR LINUX PLATFORMS
     1. CoreGuard Core Security System
     2. EnCase Forensic Edition
     3. KeyGhost SX
     4. SafeKit
     5. Astaro Linux Firewall
     6. CAT Cellular Authentication Token and eAuthentication Servic...
V. NEW TOOLS FOR LINUX PLATFORMS
     1. pasmal 1.5
     2. PatchLink Update 6.01.78
     3. AutoScan b0.92 R6
     4. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
     5. rootsh 0.2
     6. Maillog View  v1.03.3
VII. SPONSOR INFORMATION

I. FRONT AND CENTER
-------------------
1. Zero Viruses In 2005?
By Kelly Martin 

It's the time of year to reflect on the good security choices you've 
made
over the year, the defense-in-depth strategy that you've decided to 
follow,
and plan for your response to future threats and virus outbreaks.

http://www.securityfocus.com/columnists/284

II. LINUX VULNERABILITY SUMMARY
-------------------------------
1. Opera Web Browser Download Dialogue Box File Name Spoofing V...
BugTraq ID: 11883
Remote: Yes
Date Published: Dec 11 2004
Relevant URL: http://www.securityfocus.com/bid/11883
Summary:
A download dialogue box file name spoofing vulnerability affects Opera. 
This issue is due to a design error that facilitates the spoofing of 
file names.

The problem presents itself when an unsuspecting user attempts to 
download a file from a malicious site. The malicious web site may respond 
with HTTP header data that is sufficient to trigger the issue. As a 
result of this attack, the requested filename and file type may be 
misrepresented in a file download dialog, making it possible for an attacker to 
make a potentially malicious file seem innocuous.

2. Citadel/UX Network Data Logging Remote Format String Vulnera...
BugTraq ID: 11885
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11885
Summary:
A remote format string vulnerability reportedly affects the network 
data logging functionality of Citadel/UX.  This issue is due to a failure 
of the application to properly sanitize user-supplied input prior to 
passing it as the format specifier to a formatted printing function.

A remote attacker may leverage this issue to write to arbitrary process 
memory, facilitating code execution.  Any code execution would take 
place with superuser privileges.

3. PhpDig Unspecified Remote Vulnerability
BugTraq ID: 11889
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11889
Summary:
PhpDig is reported prone to a security vulnerability. The details of 
this vulnerability are unspecified.

It is conjectured that this vulnerability may be exploited by a remote 
attacker to compromise a computer that is hosting the vulnerable 
software.

This BID will be updated as soon as further details are available.

4. SugarSales Multiple Remote Vulnerabilities
BugTraq ID: 11896
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11896
Summary:
Multiple remote vulnerabilities are reported to exist in SugarSales.

The first reported issue is an SQL injection vulnerability. This 
vulnerability is due to a lack of proper input-validation by the application, 
prior to utilizing attacker-supplied data in and SQL query.

This vulnerability is reported to exist in versions prior to 2.0.1a.

The next issue is reportedly a directory traversal vulnerability. This 
vulnerability is also due to a lack of proper input-validation by the 
application.

The last reported issue is a remote denial of service and information 
disclosure vulnerability.

The directory traversal and installation script vulnerabilities 
reportedly exist in all current versions of SugarSales.

These vulnerabilities may be related to the issues disclosed in BID 
11740.

5. SQLgrey Postfix Greylisting Service Unspecified SQL Injectio...
BugTraq ID: 11898
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11898
Summary:
SQLgrey Postfix Greylisting Service is prone to an unspecified SQL 
injection vulnerability.  This issue is reportedly due to insufficient 
sanitization of SQL syntax from fields in email processed by the software.  

The issue could be exploited to influence SQL queries, potentially 
allowing for compromise of the software or other attacks that impact 
database security.

This issue was reportedly missed by the vendor when they fixed the 
issue described in BID 11633.

6. Opera Web Browser KDE KFMCLIENT Remote Command Execution Vul...
BugTraq ID: 11901
Remote: Yes
Date Published: Dec 13 2004
Relevant URL: http://www.securityfocus.com/bid/11901
Summary:
It is reported that Opera for Linux is susceptible to a remote command 
execution vulnerability. This issue is due to a default configuration 
setting in Opera that utilizes the KDE 'kfmclient' utility to open 
unknown content.

Exploitation of this issue allows attacker-supplied commands to be 
executed in the context of the user running Opera.

Version 7.54 of Opera for Linux with KDE version 3.2.3 is reported 
vulnerable to this issue. Other versions may also be affected.

7. Linux NFS 64-Bit Architecture Remote Buffer Overflow Vulnera...
BugTraq ID: 11911
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11911
Summary:
A remote buffer overflow reportedly affects the disk quota 
functionality of the Linux NFS utilities.  This issue is due to a failure of the 
application to properly validate the length of user-supplied strings 
prior to copying them into static process buffers.

An attacker may leverage this issue to execute arbitrary on an affected 
computer with superuser privileges.  This may be exploited to gain 
unauthorized access or privilege escalation.

8. ZGV Image Viewer Animated GIF Remote Memory Corruption Vulne...
BugTraq ID: 11915
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11915
Summary:
A remote memory corruption vulnerability affects the animated GIF 
functionality of zgv. It should be noted that although it is likely that 
xzgv is also vulnerable to this issue, this has not been confirmed. The 
underlying issue causing this vulnerability is unknown, although it is 
likely due to a failure of the application to handle malformed image 
files.

The full impact of this issue is currently unknown, however this issue 
can be leveraged to cause the affected application to crash.  It is 
possible, however unconfirmed, that this issue may be leveraged to execute 
arbitrary code.

9. Linux Kernel IGMP Multiple Vulnerabilities
BugTraq ID: 11917
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11917
Summary:
Linux kernel IGMP functionality is reported prone to multiple 
vulnerabilities.  These issues can allow local attackers to carry out denial of 
service and privilege escalation attacks.  Remote attackers may also 
cause denial of service conditions in vulnerable computers.

The first issue exists in the 'ip_mc_source()' function and may allow 
local attackers to cause a denial of service condition or gain elevated 
privileges.

The second issue is related to the first issue and may allow an 
attacker to disclose sensitive kernel memory.

The third vulnerability exists in the IGMP/IP networking module and may 
allow remote attackers to cause a denial of service condition in a 
vulnerable computer.

10. Sun Java System Web And Application Server Remote Session Di...
BugTraq ID: 11918
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11918
Summary:
A remote session disclosure vulnerability affects the Sun Java System 
Web and Application Servers.  This issue is due to a design error that 
may cause sessions IDs to be revealed.

This issue may be exploited to steal session IDs from unsuspecting 
users and gain access to their current sessions.  Reportedly only sessions 
that do not require authentication are affected by this issue.

11. Linux Kernel SCM_SEND Local Denial of Service Vulnerability
BugTraq ID: 11921
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11921
Summary:
Linux kernel is reported prone to a local denial of service 
vulnerability.  This issue presents itself in the SCM logical sub layer of the 
socket API. 

An unprivileged application can craft a malformed auxiliary message and 
send it to a socket, which results in the kernel invoking 
'__scm_send()' in a manner that leads to a crash.  This issue can allow local 
attackers to cause a denial of service condition on a vulnerable computer.  
It is not confirmed if this vulnerability can be leveraged to gain 
elevated privileges.

12. Adobe Acrobat Reader Email Message Remote Buffer Overflow Vu...
BugTraq ID: 11923
Remote: Yes
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11923
Summary:
A remote buffer overflow vulnerability reportedly affects the email 
message checking functionality in Adobe Acrobat Reader for Unix. This 
issue is due to a failure of the application to properly validate the 
length of user-supplied strings prior to copying them into static process 
buffers.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

It should be noted that this issue only affects Adobe Acrobat Reader 
for the Unix platform.

13. Linux Kernel Local DRM Denial Of Service Vulnerability
BugTraq ID: 11936
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11936
Summary:
It is reported that the DRM module in the Linux kernel is susceptible 
to a local denial of service vulnerability.

This vulnerability likely results in the corruption of video memory, 
crashing the X server. It is also reported that malicious users may be 
able to modify the video output.

Further details are unavailable at this time. This BID will be updated 
as further analysis is completed.

14. Linux Kernel PROC Filesystem Local Information Disclosure Vu...
BugTraq ID: 11937
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11937
Summary:
It is reported that the Linux kernel /proc filesystem is susceptible to 
an information disclosure vulnerability. This issue is due to a 
race-condition allowing unauthorized access to potentially sensitive process 
information.

This vulnerability may allow malicious local users to gain access to 
potentially sensitive environment variables in other users processes. As 
some programs pass passwords and other sensitive information in 
environment variables, this may aid a malicious user in further attacks.

Further details are unavailable at this time. This BID will be updated 
as further analysis is completed.

15. Linux Kernel Sys32_NI_Syscall/Sys32_VM86_Warning Local Buffe...
BugTraq ID: 11938
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11938
Summary:
The Linux kernel for 64-Bit architectures is reported prone to a local 
buffer overflow vulnerability.

This vulnerability exists in 'sys32_ni_syscall()' and 
'sys32_vm86_warning()' as a result of an unbounded copy of a 16 byte string into an 8 
byte buffer using the strcpy() function. 

Immediate consequences of exploitation of this vulnerability could be a 
kernel panic; this could be used to deny service to legitimate users. 
It is not currently known whether this vulnerability may be leveraged to 
provide for execution of arbitrary code.

16. Linux Kernel Sock_DGram_SendMsg Local Denial Of Service Vuln...
BugTraq ID: 11939
Remote: No
Date Published: Dec 14 2004
Relevant URL: http://www.securityfocus.com/bid/11939
Summary:
The Linux kernel is reported to be prone to a local denial of service 
vulnerability. This vulnerability is reported to exist when 
'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options are set in the 
Linux kernel.

A local attacker may exploit this vulnerability to trigger a kernel 
panic and effectively deny service to legitimate users.

17. Vim Modelines Arbitrary Command Execution Variant Vulnerabil...
BugTraq ID: 11941
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11941
Summary:
Vim modelines is prone to a vulnerability that may permit execution of 
arbitrary commands.  Reportedly, certain modelines options expose this 
issue.  Exploitation could occur when a malicious file is opened in the 
editor and would occur in the context of the user opening the file.

This issue is similar to BID 6384.

18. Novell NetMail Multiple Remote Vulnerabilities
BugTraq ID: 11942
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11942
Summary:
Multiple remote vulnerabilities reportedly affect Novell NetMail.  
These vulnerabilities are due to multiple issues including failure to 
verify string length before copying them into static process buffers, 
failure to handle malformed input, and various design errors.

The first issue reported is a buffer overflow vulnerability in the IMAP 
functionality of the affected application.  The second issue is a 
failure of the application to properly integrate with Symantec antivirus 
software.  Finally a number of issues reported may facilitate denial of 
service attacks, although these are not confirmed.

An attacker may leverage these issues to execute arbitrary code on the 
affected computer, facilitating system compromise, anti-virus screening 
bypass, facilitating a false sense of security, and potentially carry 
out denial of service attacks.

19. Ethereal Multiple Unspecified Denial of Service and Potentia...
BugTraq ID: 11943
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11943
Summary:
Ethereal 0.10.8 has been released to address multiple vulnerabilities.  
These vulnerabilities are reported to cause denial of service 
conditions in the application, however, it is reported that some issues may 
allow for arbitrary code execution.

The following specific issues were specified:

A denial of service vulnerability presents itself in the DICOM 
dissector.

The application suffers from a denial of service vulnerability when 
handling a malformed RTP timestamp.

It is reported that the HTTP dissector may allow a remote attacker to 
access memory that was previously freed.

Another denial of service issues affecting the application arises when 
Ethereal processes a specially crafted SMB packet.

This BID will be updated as more information becomes available.

20. Linux Kernel Multiple Local Vulnerabilities
BugTraq ID: 11956
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11956
Summary:
The Linux kernel is reported prone to multiple local vulnerabilities. 
The following individual issues are reported:

An integer overflow is reported to exist in 'ip_options_get()' of the 
'ip_options.c' kernel source file, this vulnerability is only reported 
to exist in the 2.6 kernel tree. 

Although unconfirmed, due to the nature of this vulnerability it is 
conjectured that this issue may be further leveraged to provide for 
arbitrary code execution with ring 0 privileges.

A local attacker may exploit this vulnerability to deny service to 
legitimate users. Other attacks are also likely possible.

A second integer overflow vulnerability is reported to exist in the 
'vc_resize()' function of the Linux kernel, this vulnerability is reported 
to exist in the 2.6 and 2.4 kernel trees. 

Although unconfirmed, due to the nature of this vulnerability it is 
conjectured that this issue may be further leveraged to provide for 
arbitrary code execution with ring 0 privileges.

A local attacker may exploit this vulnerability to deny service to 
legitimate users. Other attacks are also likely possible.

A third vulnerability, a memory leak, is reported to exist in 
'ip_options_get()' of the 'ip_options.c' kernel source file, this vulnerability 
is reported to exist in the 2.6, and 2.4 kernel tree.

A local attacker may exploit this vulnerability to consume kernel heap 
memory resources and in doing so may impact system performance 
ultimately resulting in a denial of service to legitimate users.

21. ChBg Scenario File Overflow Vulnerability
BugTraq ID: 11957
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11957
Summary:
ChBg is reported prone to a remote buffer overflow vulnerability.  This 
issue arises because the application fails to carry out proper boundary 
checks before copying user-supplied data in to sensitive process 
buffers.  It is reported that this issue can allow an attacker to gain 
superuser privileges on a vulnerable computer.

An attacker can exploit this issue by crafting a malicious scenario 
file. A scenario is a file containing a list of pictures to display.

If a user obtains this file and processes it through ChBg, the 
attacker-supplied instructions may be executed on the vulnerable computer.

ChBg 1.5 is reported prone to this vulnerability.  It is likely that 
other versions are affected as well.

22. MPG123 Find Next File Remote Client-Side Buffer Overflow Vul...
BugTraq ID: 11958
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11958
Summary:
A remote client-side buffer overflow vulnerability affects mpg123.  
This issue is due to a failure of the application to properly validate the 
length of user-supplied strings prior to copying them into static 
process buffers.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

23. IglooFTP Server Response Download Filename File Corruption V...
BugTraq ID: 11960
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11960
Summary:
IglooFTP does not properly sanitize server-supplied filenames during 
downloads, potentially allowing for files to be created or overwritten in 
the context of the client user.  This issue is reported to occur when 
the FTP client is used to recursively download files from a remote FTP 
server.

This issue reportedly exists in UNIX/Linux based versions of IglooFTP.  
It is not known if Windows versions are affected.

24. IglooFTP File Upload Insecure Temporary File Vulnerability
BugTraq ID: 11961
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11961
Summary:
IglooFTP creates temporary files in an insecure manner.  This issue is 
reported to occur when the client is uploading files to a remote 
server.  An attacker could abuse this issue through symbolic link attacks 
that corrupt files owned by the user, most likely resulting in a loss of 
data.

This issue reportedly exists in UNIX/Linux based versions of IglooFTP.  
It is not known if Windows versions are affected.

25. MPlayer MMST Get_Header Remote Client-Side Buffer Overflow V...
BugTraq ID: 11962
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11962
Summary:
A remote, client-side buffer overflow vulnerability reportedly affects 
MPlayer. This issue is due to a failure of the application to properly 
validate the length of user-supplied strings prior to copying them into 
static process buffers.

An attacker may exploit this issue to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

26. PHP Multiple Local And Remote Vulnerabilities
BugTraq ID: 11964
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11964
Summary:
PHP4 and PHP5 are reported prone to multiple local and remote 
vulnerabilities that may lead to code execution within the context of the 
vulnerable process. The following specific issues are reported:

A heap-based buffer overflow is reported to affect the PHP 'pack()' 
function call. An attacker that has the ability to make the PHP 
interpreter run a malicious script may exploit this condition to execute 
arbitrary instructions in the context of the vulnerable process.

A heap-based memory disclosure vulnerability is reported to affect the 
PHP 'unpack()' function call. An attacker that has the ability to make 
the PHP interpreter run a malicious script may exploit this condition 
to reveal portions of the process heap.

PHP safe_mode_exec_dir is reported prone to an access control bypass 
vulnerability. A local attacker that can manipulate the directory name 
from which the PHP script is called, may bypass 'safe_mode_exec_dir' 
restrictions by placing shell metacharacters and restricted commands into 
the directory name of the current directory.

PHP safe_mode is reported prone to an access control bypass 
vulnerability. An attacker that has the ability to make the PHP interpreter run a 
malicious script may exploit this condition to execute commands that 
are otherwise restricted by PHP safe_mode.

PHP is reported prone to a 'realpath()' path truncation vulnerability. 
The vulnerability exists due to a lack of sanitization as to whether a 
path has been silently truncated by the libc realpath() function or 
not. This may lead to remote file include vulnerabilities in some cases.

The PHP function 'unserialize()' is reported prone to a memory 
corruption vulnerability. This corruption may be leveraged by a remote attacker 
that has the ability to make the PHP interpreter run a malicious script 
to execute arbitrary code in the context of the vulnerable process.

The PHP function 'unserialize()' is also reported prone to an 
information disclosure vulnerability. This issue may be leveraged by a remote 
attacker to disclose the contents of heap memory. This may allow them to 
gain access to potentially sensitive information, such as database 
credentials.

Finally, the PHP function 'unserialize()', is reported prone to an 
additional vulnerability. It is reported that previous versions of this 
function allow a malicious programmer to set references to entries of a 
variable hash that have already been freed. This can lead to remote 
memory corruption.

27. TNFTP FTP Client Directory Traversal Vulnerability
BugTraq ID: 11965
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11965
Summary:
The tnftp FTP client is reported susceptible to a directory traversal 
vulnerability. This issue is due to a failure of the application to 
properly sanitize user-supplied input data.

This vulnerability results in the ability of the attacker controlling a 
malicious remote server being able to write to arbitrary locations on 
the client's computer with the privileges of the user invoking the 
vulnerable FTP client. Depending on the particular configuration of the 
vulnerable FTP client, new files may be created, files may be overwritten, 
or appended to. Depending on the configuration, this may also occur 
without confirmation.

28. Xine-Lib Remote Client-Side Buffer Overflow Vulnerability
BugTraq ID: 11969
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11969
Summary:
It is reported that the xine media library is affected by a remote 
buffer overflow vulnerability. This issue can allow a remote attacker to 
gain unauthorized access to a vulnerable computer. The overflow condition 
presents itself in the 'demux_aiff.c' file.

29. Samba Directory Access Control List Remote Integer Overflow ...
BugTraq ID: 11973
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11973
Summary:
A remotely exploitable integer overflow vulnerability affects the 
directory access control list (DACL) processing functionality of Samba.  
This issue is due to a failure of the application to properly perform 
sanity checking on calculated data sizes prior to copying data into static 
process buffers.

An attacker with access to an SMB share may leverage this issue to 
overwrite the heap of the affected process, facilitating code execution 
with superuser privileges.

30. Yanf HTTP Response Buffer Overflow Vulnerability
BugTraq ID: 11975
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11975
Summary:
Yanf is prone to a buffer overflow vulnerability.  This issue is 
exposed when the client reads data from a remote HTTP server.  

If this issue is successfully exploited, it could allow for execution 
of arbitrary code in the context of the user running the client.

31. JPegToAvi File List Buffer Overflow Vulnerability
BugTraq ID: 11976
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11976
Summary:
jpegtoavi is prone to a buffer overflow.  This issue is exposed when 
the software handles a malformed file list.  As the list originates from 
an external or untrusted source, this issue is considered remote in 
nature.  

If this vulnerability is successfully exploited, it will result in 
execution of arbitrary code in the context of the user running the 
application.

32. Vilistextum HTML Attribute Parsing Buffer Overflow Vulnerabi...
BugTraq ID: 11979
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11979
Summary:
Vilistextum is prone to a buffer overflow vulnerability.  This issue is 
exposed when the application parses HTML attributes while converting an 
HTML file to text/ASCII.  Since HTML files will likely originate from 
an external or untrusted source, this issue should be considered remote 
in nature.

Successful exploitation will allow for execution of arbitrary code in 
the context of the user running the application.

33. 2Fax Tab Expansion Buffer Overflow Vulnerability
BugTraq ID: 11980
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11980
Summary:
2fax is prone to a buffer overflow vulnerability.  This issue is 
exposed when the software performs tab expansion operations while converting 
files.  Since files may originate from an external or untrusted source, 
this issue is considered remote in nature.

Successful exploitation will result in execution of arbitrary code in 
the context of the user running the application.

34. PHP Multiple Remote Vulnerabilities
BugTraq ID: 11981
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11981
Summary:
PHP4 and PHP5 are reported prone to multiple remotely exploitable 
vulnerabilities.  These issue result from insufficient sanitization of 
user-supplied data.  A remote attacker may carry out directory traversal 
attacks to disclose arbitrary files and upload files to arbitrary 
locations.

It is reported that these vulnerabilities may only be exploited on 
Windows.

35. MPlayer And Xine-Lib Multiple Remote Client-Side Buffer Over...
BugTraq ID: 11987
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11987
Summary:
Multiple remote, client side buffer overflow vulnerabilities reportedly 
affect xine-lib and MPlayer.  These issues are due to a failure of the 
application to properly validate the length of user-supplied strings 
prior to copying them into static process buffers.

An attacker may exploit these issues to execute arbitrary code with the 
privileges of the user that activated the vulnerable application. This 
may facilitate unauthorized access or privilege escalation.

36. QwikMail HELO Command Buffer Overflow Vulnerability
BugTraq ID: 11989
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11989
Summary:
QwikMail (qwik-smtpd) is reported prone to a remotely exploitable 
buffer overflow vulnerability.  The issue is due to insufficient bounds 
checking of  client-supplied SMTP HELO request data.

This issue could theoretically be exploited to execute arbitrary code.  
Due to the memory layout, it is also reportedly possible to overwrite 
an adjacent buffer in a manner that will allow a remote attacker to 
abuse the server as an unauthorized mail relay.

37. NASM Error Preprocessor Directive Buffer Overflow Vulnerabil...
BugTraq ID: 11991
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11991
Summary:
NASM is prone to a buffer overflow.  This condition is exposed when the 
application attempts to assemble a source file that contains malformed 
'%error' preprocessor directive arguments.  Since the source file may 
originate from an external or untrusted source, this vulnerability is 
considered remote in nature.

Successful exploitation will permit arbitrary code execution with the 
privileges of the user running the application.

38. PHP JPEG Image Buffer Overflow Vulnerability
BugTraq ID: 11992
Remote: Yes
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11992
Summary:
It is reported that PHP is susceptible to a buffer overflow 
vulnerability in handling JPEG images. This issue is due to a failure of the 
application to properly bounds check user-supplied image data prior to 
copying it into a fixed-size memory buffer.

This vulnerability allows remote attackers to alter the proper flow of 
execution of the application, potentially resulting in the execution of 
attacker-supplied machine code in the context of the web server 
executing the PHP interpreter.

39. NetBSD Multiple Local Unspecified Binary Compatibility Layer...
BugTraq ID: 11996
Remote: No
Date Published: Dec 16 2004
Relevant URL: http://www.securityfocus.com/bid/11996
Summary:
It is reported that NetBSD is susceptible to multiple unspecified local 
vulnerabilities in its binary compatibility layer. It is reported that 
many, if not all of the compatibility types are affected by these 
vulnerabilities. The system call translation functions reportedly execute 
unsafe operations with the user-supplied system call arguments.

This BID will be updated as further information is disclosed, and as 
further analysis is performed.

These vulnerabilities affect computers running NetBSD that have any 
'COMPAT_*' options defined in the running kernel.

These vulnerabilities allow local users to crash the kernel, denying 
service to legitimate users. It is also conjectured that some of these 
issues may allow for code execution in kernel-space, leading to privilege 
escalation.

40. YAMT ID3 Tag Sort Command Execution Vulnerability
BugTraq ID: 11999
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/11999
Summary:
YAMT (Yet Another MP3 Tool) is prone to a vulnerability that may allow 
attackers to execute arbitrary commands.  This issue is exposed when 
the program attempts to sort ID3 tags.  As this data may originate from 
an external or untrusted source, this issue is considered remote in 
nature.

Successful exploitation will allow an attacker to execute arbitrary 
commands when the software processes an MP3 that contains malicious ID3 
tag data.  This will occur in the context of the user running the 
application.

41. O3Read HTML Parser Buffer Overflow Vulnerability
BugTraq ID: 12000
Remote: Yes
Date Published: Dec 17 2004
Relevant URL: http://www.securityfocus.com/bid/12000
Summary:
o3read is prone to a buffer overflow vulnerability.  This issue is 
exposed when the program parses HTML content during file format conversion.  
This issue is considered to be remote in nature since it is possible 
that files may originate from an external or untrusted source.

Successful exploitation will result in code execution with the 
privileges of the user running the application.

42. HTML2HDML File Conversion Buffer Overflow Vulnerability
BugTraq ID: 12003
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12003
Summary:
html2hdml is prone to a buffer overflow vulnerability.  This issue is 
exposed when converting HTML files to HDML (Handheld Device Markup 
Language).  Since HTML files may originate from an external or untrusted 
source, this vulnerability is considered remote in nature.

Successful exploitation may result in execution of arbitrary code in 
the context of the user running the application.

43. Easy Software Products LPPassWd CUPS Password File Truncatio...
BugTraq ID: 12004
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12004
Summary:
Easy Software Products lppasswd is prone to a vulnerability that may 
let local attackers truncate the CUPS password file.  

This issue occurs because the program ignores write errors.  If a local 
attacker can fill up the drive or otherwise trigger a write error, it 
is possible that the operation of writing to the CUPS password file may 
be aborted.

The end result is that the CUPS password file may be truncated, likely 
causing a denial of service condition.

44. Easy Software Products LPPassWd Resource Limit Denial Of Ser...
BugTraq ID: 12005
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12005
Summary:
Easy Software Products lppasswd is prone to a locally exploitable 
denial of service vulnerability.  This issue occurs when the program 
attempts to write a file to the system that will exceed any file size resource 
limits in place.  This presents a vulnerability since an unprivileged 
user with CUPS credentials may set these resource limits and then invoke 
the application.  This will create an empty 
'/usr/local/etc/cups/passwd.new' file.  If this file is present, then future invocations of 
lppasswd will fail.

Successful exploitation will prevent users from changing their CUPS 
passwords with lppasswd.

45. ASP2PHP Preparse Token Variable Buffer Overflow Vulnerabilit...
BugTraq ID: 12014
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12014
Summary:
asp2php is prone to a buffer overflow vulnerability.  This issue is 
exposed when the application is used to convert an ASP file to PHP.  The 
particular issue is related to parsing of tokens in ASP files.  Since 
ASP files may originate from an external or untrusted source, this 
vulnerability is considered to be remote in nature.

Successful exploitation would allow for execution of arbitrary code in 
the context of the user running the application.

This issue is reportedly distinct from BID 12015 (ASP2PHP Preparse Temp 
Variable Buffer Overflow Vulnerability).  The differences that 
distinguish these issues are two separate vulnerabilities have not been 
determined at this time, other than that the overrun occurs in a different 
destination buffer.

46. ASP2PHP Preparse Temp Variable Buffer Overflow Vulnerability
BugTraq ID: 12015
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12015
Summary:
asp2php is prone to a buffer overflow vulnerability.  This issue is 
exposed when the application is used to convert an ASP file to PHP.  The 
particular issue is related to parsing of tokens in ASP files.  Since 
ASP files may originate from an external or untrusted source, this 
vulnerability is considered to be remote in nature.

Successful exploitation would allow for execution of arbitrary code in 
the context of the user running the application.

This issue is reportedly distinct from BID 12014 (ASP2PHP Preparse 
Token Buffer Overflow Vulnerability).  The differences that distinguish 
these issues are two separate vulnerabilities have not been determined at 
this time, other than that the overrun occurs in a different 
destination buffer.

47. UML_Utilities UML_Net Slip Network Interface Denial Of Servi...
BugTraq ID: 12016
Remote: No
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12016
Summary:
The uml_utilites uml_net application may permit unprivileged malicious 
local users to shut down the slip network interface.  This is due to 
the program being installed setuid root by default. 

This vulnerability could be exploited to deny network services over 
slip on an affected computer.

48. ABC2MTEX Process ABC Key Field Buffer Overflow Vulnerability
BugTraq ID: 12018
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12018
Summary:
abc2mtex is prone to a buffer overflow vulnerability.  This issue is 
exposed when the program is used to convert ABC music notation files to 
MTEX format.  In particular, the issue is due to insufficient bounds 
checking of key data in ABC notation files.  Since the ABC files may 
originate from an external or untrusted source, this issue is considered 
remote in nature.

Successful exploitation will result in execution of arbitrary code in 
the context of the user running the application.

49. ABCPP Directive Handler Buffer Overflow Vulnerability
BugTraq ID: 12021
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12021
Summary:
abcpp is prone to a buffer overflow vulnerability.  This issue is 
exposed when the program is used to handle directives in ABC music notation 
files.  Since the ABC files may originate from an external or untrusted 
source, this issue is considered remote in nature.

Successful exploitation will result in execution of arbitrary code in 
the context of the user running the application.

50. ABC2PS/JCABC2PS Voice Field Buffer Overflow Vulnerability
BugTraq ID: 12024
Remote: Yes
Date Published: Dec 15 2004
Relevant URL: http://www.securityfocus.com/bid/12024
Summary:
abc2ps and jcabc2ps are prone to a buffer overflow vulnerability.  This 
issue is exposed when the program is used to process the voice field in 
ABC music notation files.  Since the ABC files may originate from an 
external or untrusted source, this issue is considered remote in nature.

Successful exploitation will result in execution of arbitrary code in 
the context of the user running the application.

III. LINUX FOCUS LIST SUMMARY
-----------------------------
1. *nix data wipe tools (Thread)
Relevant URL:

http://www.securityfocus.com/archive/91/384971

IV. NEW PRODUCTS FOR LINUX PLATFORMS
------------------------------------
1. CoreGuard Core Security System
By: Vormetric
Platforms: AIX, Linux, Solaris, Windows 2000, Windows XP
Relevant URL: http://www.vormetric.com/products/#overview
Summary: 

CoreGuard System profile

The CoreGuard System is the industry's first solution that enforces
acceptable use policy for sensitive digital information assets and
protects personal data privacy across an enterprise IT environment.
CoreGuard's innovative architecture and completeness of technology
provide a comprehensive, extensible solution that tightly integrates 
all
the elements required to protect information across a widespread,
heterogeneous enterprise network, while enforcing separation of duties
between security and IT administration. At the same time, CoreGuard is
transparent to users, applications and storage infrastructures for ease
of deployment and system management.

CoreGuard enables customers to:
* Protect customer personal data privacy and digital information assets 
* Protect data at rest from unauthorized viewing by external attackers
and unauthorized insiders
* Enforce segregation of duties between IT administrators and security
administration
* Ensure host & application integrity * Block malicious code, including
zero-day exploits

2. EnCase Forensic Edition
By: Guidance Software Inc.
Platforms: DOS, FreeBSD, Linux, MacOS, NetBSD, OpenBSD, PalmOS, 
Solaris, UNIX, Windows 2000, Windows 95/98, Windows NT, Windows XP
Relevant URL: 
http://www.guidancesoftware.com/products/EnCaseForensic/index.shtm
Summary: 

EnCase Forensic Edition Version 4 delivers the most advanced features 
for computer forensics and investigations. With an intuitive GUI and 
superior performance, EnCase Version 4 provides investigators with the 
tools to conduct large-scale and complex investigations with accuracy and 
efficiency. Guidance Software?s award winning solution yields 
completely non-invasive computer forensic investigations while allowing 
examiners to easily manage large volumes of computer evidence and view all 
relevant files, including "deleted" files, file slack and unallocated 
space. 

The integrated functionality of EnCase allows the examiner to perform 
all functions of the computer forensic investigation process. EnCase's 
EnScript, a powerful macro-programming language and API included within 
EnCase, allows investigators to build customized and reusable forensic 
scripts.

3. KeyGhost SX
By: KeyGhost Ltd
Platforms: BeOS, DOS, Linux, OS/2, Solaris, SunOS, Windows 2000, 
Windows 95/98, Windows NT, Windows XP
Relevant URL: http://www.keyghost.com/SX/
Summary: 

KeyGhost SX discreetly captures and records all keystrokes typed, 
including chat conversations, email, word processor, or even activity within 
an accounting or specialist system. It is completely undetectable by 
software scanners and provides you with one of the most powerful stealth 
surveillance applications offered anywhere. 

Because KeyGhost uses STRONG 128-Bit encryption to store the recorded 
data in it?s own internal memory (not on the hard drive), it is 
impossible for a network intruder to gain access to any sensitive data stored 
within the device.

4. SafeKit
By: Evidian Inc.
Platforms: AIX, HP-UX, Linux, Solaris, Windows 2000
Relevant URL: http://www.evidian.com/safekit/index.htm
Summary: 

Evidian's SafeKit technology makes it possible to render any 
application available 24 hours per day. With no extra hardware: just use your 
existing servers and install this software-only solution.

This provides ultimate scalability. As your needs grow, all you need to 
do is add more standard servers into the cluster. With the load 
balancing features of SafeKit, you can distribute applications over multiple 
servers. If one system fails completely, the others will continue to 
serve your users.

5. Astaro Linux Firewall
By: Astaro
Platforms: Linux
Relevant URL: http://www.astaro.com/php/statics.php?action=asl&lang=gb
Summary: 

Astaro Linux Firewall: All-in-one firewall, virus protection, content 
filtering and spam protection internet security software package for 
Linux. 
Free download for home users.

6. CAT Cellular Authentication Token and eAuthentication Servic...
By: Mega AS Consulting Ltd
Platforms: Java, Linux, OpenBSD, Os Independent, SecureBSD, Solaris, 
UNIX, Windows 2000, Windows NT
Relevant URL: http://www.megaas.co.nz
Summary: 

Low cost, easy to use Two Factor Authentication One Time Password token 
using the Cellular. Does not use SMS or communication, manages multiple 
OTP accounts - new technology. For any business that want a safer 
access to its Internet Services. More information at our site.
 
We also provide eAuthentication service for businesses that will not 
buy an Authentication product but would prefer to pay a monthly charge 
for authentication services from our our CAT Server.

V. NEW TOOLS FOR LINUX PLATFORMS
--------------------------------
1. pasmal 1.5
By: James Meehan
Relevant URL: http://www.elitelabs.org/
Platforms: Linux
Summary: 

pasmal 1.5 is a port knocking authentification system using simple or 
encrypted tcp/udp/icmp packets. pasmal can be used with 
iptables/ipchains (firewall purposes) or any other program (remote shell, reboot, 
etc)It is packaged with a php web admin, a command line client 
pasmal.client, start/stop rc.d scripts.pasmal 1.5 also feature an intrusion/attempts 
detection system due to its sniffers capabilities, running with syslogd 
and custom log files.

2. PatchLink Update 6.01.78
By: PatchLink Corporation
Relevant URL: 
http://www.patchlink.com/products_services/plu_evaluationrequest.html
Platforms: AIX, DG-UX, Digital UNIX/Alpha, DOS, HP-UX, Java, Linux, 
MacOS, Net, NetBSD, Netware, OpenVMS, PalmOS, POSIX, SecureBSD, SINIX, 
Solaris, SunOS, True64 UN, True64 UNIX, Ultrix, UNICOS, UNIX, Unixware, 
Windows 2000, Windows 95/98, Windows CE, Windows NT, Windows XP
Summary: 

With PATCHLINK UPDATE, patch management is the secure, proactive, and 
preventative process it should be. PATCHLINK UPDATE scans networks for 
security holes and closes them with the click of a mouse, no matter the 
operating system, the vendor applications, the mix, or the size of the 
environment. From 5K nodes to 20+K nodes, PATCHLINK UPDATE works 
quickly, accurately and safely to ensure desktops and servers are patched 
correctly and completely the first time around.

3. AutoScan b0.92 R6
By: Lagarde Thierry
Relevant URL: http://autoscan.free.fr/
Platforms: Linux
Summary: 

AutoScan is an application designed to explore and to manage your 
network. Entire subnets can be scanned simultaneously without human 
intervention. It features OS detection, automatic network discovery, a port 
scanner, a Samba share browser, and the ability to save the network state.

4. ksb26-2.6.9 Kernel Socks Bouncer for 2.6.x kernels 2.6.9
By: Paolo Ardoino
Relevant URL: http://ardoino.altervista.org/kernel.php
Platforms: Linux
Summary: 

KSB26 [Kernel Socks Bouncer] is Linux Kernel 2.6.x patch that redirects 
full tcp connections [SSH, telnet, ...] to follow through socks5. KSB26 
uses a character device to pass socks5 and target ips to the Linux 
Kernel. I have choosen to write in kernel space to enjoy myself [I know 
that there are easier and safer ways to write this in userspace].

5. rootsh 0.2
By: Gerhard Lausser
Relevant URL: http://sourceforge.net/projects/rootsh/
Platforms: AIX, HP-UX, Linux, POSIX, SINIX, Solaris, UNIX
Summary: 

Rootsh is a wrapper for shells which logs all echoed keystrokes and 
terminal output to a file and/or to syslog. It's main purpose is the 
auditing of users who need a shell with root privileges. They start rootsh 
through the sudo mechanism. I's in heavy use here at a big bavarian car 
manufacturer (three letters, fast, cool,...) for project users whom you 
can't deny root privileges.

6. Maillog View  v1.03.3
By: Angelo 'Archie' Amoruso
Relevant URL: http://www.netorbit.it/modules.html
Platforms: Linux
Summary: 

Maillog View is a Webmin module that allows you to easily view all your 
/var/log/maillog.* files. It features autorefresh, message size 
indication, ascending/descending view order, compressed file support, and a 
full statistics page. Sendmail, Postfix, Exim, and Qmail (partially) are 
supported. Courier MTA support is experimental.

VII. SPONSOR INFORMATION
-----------------------

Need to know what's happening on YOUR network? Symantec DeepSight 
Analyzer
is a free service that gives you the ability to track and manage 
attacks.
Analyzer automatically correlates attacks from various Firewall and 
network
based Intrusion Detection Systems, giving you a comprehensive view of 
your
computer or general network. Sign up today!

http://www.securityfocus.com/sponsor/Symantec_sf-news_041130

------------------------------------------------------------------------