Date: Wed, 29 Mar 2006 16:39:15 -0700
From:"Peter Laborge" <plaborge@securityfocus.com>
To:linux-secnews@securityfocus.com
Subject: SecurityFocus Linux Newsletter #279
SecurityFocus Linux Newsletter #279
----------------------------------------

Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your 
network and provide you with the necessary fixes to proactively guard 
your network. Try QualysGuard Risk Free with No Obligation.

http://www.securityfocus.com/cgi-bin/ib.pl

------------------------------------------------------------------
I.   FRONT AND CENTER
        1. Security Czar
        2. Learning an advanced skillset
II.  LINUX VULNERABILITY SUMMARY
        1. PHPWebSite Multiple SQL Injection Vulnerabilities
        2. cURL / libcURL TFTP URL Parser Buffer Overflow Vulnerability
        3. X.Org X Window Server Local Privilege Escalation 
Vulnerability
        4. FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability
        5. Linux Kernel Netfilter Do_Replace Local Buffer Overflow 
Vulnerability
        6. RunIt CHPST Privilege Escalation Vulnerability
        7. Util-VServer Unknown Linux Capabilities Vulnerability
        8. SNMPTRAPFMT Insecure Temporary File Creation Vulnerability
        9. Sendmail Asynchronous Signal Handling Remote Code Execution 
Vulnerability
        10. Beagle Insecure Path Arbitrary Code Execution Vulnerability
        11. RealNetworks Multiple Products Multiple Buffer Overflow 
Vulnerabilities
        12. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure 
Vulnerabilities
        13. Linux Kernel Get_Compat_Timespec and PTrace Local Denial Of 
Service Vulnerabilities
        14. Gentoo Nethack And Variants Local Privilege Escalation 
Vulnerability
        15. Vavoom Multiple Denial of Service Vulnerabilities
        16. Noah Grey Greymatter Arbitrary File Upload Vulnerability
        17. Debian GNU/Linux Multiple Packages Insecure RUNPATH 
Vulnerability
        18. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
        19. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation 
Vulnerability
III. LINUX FOCUS LIST SUMMARY
        1. Systrace 1.6: Phoenix Release for Linux
        2. Libnids
V.   SPONSOR INFORMATION

I.   FRONT AND CENTER
---------------------
1. Security Czar
By Scott Granneman
In this column Scott Granneman takes the role of dictator of the 
security world and presents his ideas about mandatory reforms that would 
improve security for millions of people.
http://www.securityfocus.com/columnists/394

2. Learning an advanced skillset
By Don Parker
The purpose of this article is to guide network security analysts 
towards learning the advanced skillset required to help further their 
careers. We'll look at two key pillars of knowledge, protocols and 
programming, and why they're both so important in the security field.
http://www.securityfocus.com/infocus/1861


II.  LINUX VULNERABILITY SUMMARY
------------------------------------
1. PHPWebSite Multiple SQL Injection Vulnerabilities
BugTraq ID: 17150
Remote: Yes
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17150
Summary:
phpWebSite is prone to multiple SQL-injection vulnerabilities. These 
issues are due to a failure in the application to properly sanitize 
user-supplied input before using it in SQL queries.

A successful exploit could allow an attacker to compromise the 
application, access or modify data, or exploit vulnerabilities in the 
underlying database implementation.

2. cURL / libcURL TFTP URL Parser Buffer Overflow Vulnerability
BugTraq ID: 17154
Remote: Yes
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17154
Summary:
cURL and libcURL are prone to a buffer-overflow vulnerability. This 
issue is due to a failure in the library to perform proper bounds checks 
on user-supplied data before using it in a finite-sized buffer.

The issue occurs when the URL parser handles an excessively long URL 
string with a TFTP protocol prefix 'tftp://'.


An attacker can exploit this issue to crash the affected library, 
effectively denying service. Arbitrary code execution may also be possible, 
which may facilitate a compromise of the underlying system.

3. X.Org X Window Server Local Privilege Escalation Vulnerability
BugTraq ID: 17169
Remote: No
Date Published: 2006-03-20
Relevant URL: http://www.securityfocus.com/bid/17169
Summary:
The X.Org X Window server is prone to a privilege-escalation 
vulnerability.

A local attacker can exploit this issue to load arbitrary modules and 
execute them or overwrite arbitrary files with superuser privileges. 
This may facilitate a complete compromise of the affected computer.

4. FreeRADIUS EAP-MSCHAPv2 Authentication Bypass Vulnerability
BugTraq ID: 17171
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17171
Summary:
FreeRADIUS is prone to an authentication-bypass vulnerability. The 
issue exists in the EAP-MSCHAPv2 state machine. Bypassing authentication 
could also cause the server to crash.

FreeRADIUS versions from 1.0.0 to 1.1.0 are vulnerable.

5. Linux Kernel Netfilter Do_Replace Local Buffer Overflow 
Vulnerability
BugTraq ID: 17178
Remote: No
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17178
Summary:
The Linux kernel is susceptible to a local buffer-overflow 
vulnerability. This issue is due to the kernel's failure to properly bounds-check 
user-supplied input before using it in a memory copy operation.

This issue allows local attackers to overwrite kernel memory with 
arbitrary data, potentially allowing them to execute malicious machine code 
in the context of affected kernels. This vulnerability facilitates the 
complete compromise of affected computers.

This issue is exploitable only by local users who have superuser 
privileges or have the CAP_NET_ADMIN capability. This issue is therefore a 
security concern only if computers run virtualization software that 
allows users to have superuser access to guest operating systems or if the 
CAP_NET_ADMIN capability is given to untrusted users.

Linux kernel versions prior to 2.6.16 in the 2.6 series are affected by 
this issue.

6. RunIt CHPST Privilege Escalation Vulnerability
BugTraq ID: 17179
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17179
Summary:
Runit is susceptible to a local privilege-escalation vulnerability. 
This issue is due to a flaw in the 'chpst' utility that results in 
programs gaining unintended, elevated group privileges.

This issue will have varying consequences depending on the nature of 
programs executed by the affected utility. Attackers exploiting latent 
vulnerabilities in applications may gain access to elevated group 
privileges.

Runit versions prior to 1.4.1 are affected by this issue. This affects 
only packages that are compiled with 16-bit gid_t types (such as when 
compiled with dietlibc).

7. Util-VServer Unknown Linux Capabilities Vulnerability
BugTraq ID: 17180
Remote: Yes
Date Published: 2006-03-21
Relevant URL: http://www.securityfocus.com/bid/17180
Summary:
The util-vserver package for the Linux-VServer project is susceptible 
to an unknown Linux capability vulnerability. The package fails to 
properly handle unknown Linux capabilities.

The exact consequences of this issue are currently unknown. They depend 
on the nature of the unknown capabilities and on the nature of the 
applications that use them. Hosted virtual servers may possibly gain 
inappropriate access to the hosting operating system.

8. SNMPTRAPFMT Insecure Temporary File Creation Vulnerability
BugTraq ID: 17182
Remote: No
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17182
Summary:
The 'snmptrapfmt' package creates temporary files in an insecure 
manner. This may allow a local attacker to perform symbolic-link attacks.

Successful exploits may cause sensitive data or configuration files to 
be overwritten. This may result in a denial of service; other attacks 
may also be possible.

9. Sendmail Asynchronous Signal Handling Remote Code Execution 
Vulnerability
BugTraq ID: 17192
Remote: Yes
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17192
Summary:
Sendmail is prone to a remote code-execution vulnerability.

Remote attackers may leverage this issue to execute arbitrary code with 
the privileges of the application, which typically runs as superuser.

Sendmail versions prior to 8.13.6 are vulnerable to this issue.

10. Beagle Insecure Path Arbitrary Code Execution Vulnerability
BugTraq ID: 17195
Remote: No
Date Published: 2006-03-22
Relevant URL: http://www.securityfocus.com/bid/17195
Summary:
Beagle is susceptible to an insecure path vulnerability that can lead 
to arbitrary code execution.

This issue can allow attackers to place malicious code in a publicly 
writeable directory and can cause the code to be executed by beagle 
wrapper scripts. This would result in the execution of arbitrary code with 
the privileges of the user running the vulnerable application.

11. RealNetworks Multiple Products Multiple Buffer Overflow 
Vulnerabilities
BugTraq ID: 17202
Remote: Yes
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17202
Summary:
Various RealNetworks products are prone to multiple buffer-overflow 
vulnerabilities.

These issues can result in memory corruption and facilitate arbitrary 
code execution. A successful attack can allow remote attackers to 
execute arbitrary code in the context of the application to gain unauthorized 
access.

12. Linux Kernel Ssockaddr_In.Sin_Zero Kernel Memory Disclosure 
Vulnerabilities
BugTraq ID: 17203
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17203
Summary:
The Linux kernel is affected by local memory-disclosure 
vulnerabilities. These issues are due to the kernel's failure to properly clear 
previously used kernel memory before returning it to local users.

These issues allow an attacker to read kernel memory and potentially 
gather information to use in further attacks.

13. Linux Kernel Get_Compat_Timespec and PTrace Local Denial Of Service 
Vulnerabilities
BugTraq ID: 17216
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17216
Summary:
Two local denial-of-service vulnerabilities affect the Linux kernel. 
These issues are platform specific. The 'get_compat_timespec()' issue 
affects only the SPARC architecture; the 'ptrace()' issue affects only the 
ia64 architecture.

Local attackers may exploit these vulnerabilities to trigger a kernel 
crash, denying service to legitimate users.

14. Gentoo Nethack And Variants Local Privilege Escalation 
Vulnerability
BugTraq ID: 17217
Remote: No
Date Published: 2006-03-23
Relevant URL: http://www.securityfocus.com/bid/17217
Summary:
Nethack and its variant versions are prone to a local 
privilege-escalation vulnerability. The issue results from a design error.

A local attacker can leverage this issue to exploit latent 
vulnerabilities in applications by overwriting shared game data files.

15. Vavoom Multiple Denial of Service Vulnerabilities
BugTraq ID: 17261
Remote: Yes
Date Published: 2006-03-27
Relevant URL: http://www.securityfocus.com/bid/17261
Summary:
Vavoom is prone to two denial-of-service vulnerabilities. These issues 
can cause the application to stop responding or fail.

Vavoom 1.19.1 and earlier are affected.

16. Noah Grey Greymatter Arbitrary File Upload Vulnerability
BugTraq ID: 17271
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17271
Summary:
Greymatter is prone to an arbitrary file-upload vulnerability.

An attacker can exploit this vulnerability to upload arbitrary code and 
execute it in the context of the webserver process. This may facilitate 
unauthorized access or privilege escalation; other attacks are also 
possible.

17. Debian GNU/Linux Multiple Packages Insecure RUNPATH Vulnerability
BugTraq ID: 17288
Remote: No
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17288
Summary:
Multiple packages in Debian GNU/Linux are susceptible to an insecure 
RUNPATH vulnerability. This issue is due to a flaw in the build system 
that results in insecure RUNPATHs being included in certain binaries.

This vulnerability may result in arbitrary code being executed in the 
context of users who run the vulnerable executables. This may facilitate 
privilege escalation.

18. FreeRadius RLM_SQLCounter SQL Injection Vulnerability
BugTraq ID: 17294
Remote: Yes
Date Published: 2006-03-28
Relevant URL: http://www.securityfocus.com/bid/17294
Summary:
FreeRADIUS is prone to an SQL-injection vulnerability. This issue is 
due to a failure in the application to properly sanitize user-supplied 
input before using it in an SQL query.

Successful exploitation could allow an attacker to compromise the 
application, access or modify data, or exploit vulnerabilities in the 
underlying database implementation.

19. Tetris-BSD Tetris-bsd.scores Local Privilege Escalation 
Vulnerability
BugTraq ID: 17308
Remote: No
Date Published: 2006-03-29
Relevant URL: http://www.securityfocus.com/bid/17308
Summary:
Tetris-BSD is prone to a local privilege-escalation vulnerability. The 
issue results from a design error.

A local attacker can leverage this issue to exploit latent 
vulnerabilities in applications by overwriting shared game data files.

III. LINUX FOCUS LIST SUMMARY
---------------------------------
1. Systrace 1.6: Phoenix Release for Linux
http://www.securityfocus.com/archive/91/428672

2. Libnids
http://www.securityfocus.com/archive/91/428026

V.   SPONSOR INFORMATION
------------------------
Test your Network Security Free with QualysGuard
Requiring NO software, QualysGuard will safely and accurately test your 
network and provide you with the necessary fixes to proactively guard 
your network. Try QualysGuard Risk Free with No Obligation.

http://www.securityfocus.com/cgi-bin/ib.pl