[security] Security Advisories

Lorenzo Iannuzzi nakis a libero.it
Lun 19 Apr 2004 00:06:01 CEST


Two vulnerabilities have been discovered and fixed in CVS:

 CAN-2004-0180 - Sebastian Krahmer discovered a vulnerability whereby
 a malicious CVS pserver could create arbitary files on the client
 system during an update or checkout operation, by supplying absolute
 pathnames in RCS diffs.

 CAN-2004-0405 - Derek Robert Price discovered a vulnerability whereby
 a CVS pserver could be abused by a malicious client to view the
 contents of certain files outside of the CVS root directory using
 relative pathnames containing "../".

Multiple format string vulnerabilities were discovered in neon, an
HTTP and WebDAV client library.  These vulnerabilities could
potentially be exploited by a malicious WebDAV server to execute
arbitrary code with the privileges of the process using libneon.

Paul Szabo discovered a number of similar bugs in suidperl, a helper
program to run perl scripts with setuid privileges.  By exploiting
these bugs, an attacker could abuse suidperl to discover information
about files (such as testing for their existence and some of their
permissions) that should not be accessible to unprivileged users.

Christian Jaeger reported a bug in logcheck which could potentially be
exploited by a local user to overwrite files with root privileges.
logcheck utilized a temporary directory under /var/tmp without taking
security precautions.  While this directory is created when logcheck
is installed, and while it exists there is no vulnerability, if at
any time this directory is removed, the potential for exploitation exists.

A vulnerability has been discovered in the index support of the
ZCatalog plug-in in Zope, an open source web application server.  A
flaw in the security settings of ZCatalog allows anonymous users to
call arbitrary methods of catalog indexes.  The vulnerability also
allows untrusted code to do the same.


Two programming errors were discovered in which path names handled by
CVS were not properly validated.  In one case, the CVS client accepts
absolute path names from the server when determining which files to
update.  In another case, the CVS server accepts relative path names
from the client when determining which files to transmit, including
those containing references to parent directories (`../').


  According to a vendor security advisory based on hints from Stefan
  Esser and Jonathan Heussser, several vulnerabilities of various types
  exist in the Ethereal network protocol analyzer. Namely, it may be
  possible to make Ethereal crash or run arbitrary code by injecting a
  purposefully malformed packet onto the wire, by convincing someone to
  read a malformed packet trace file, or by creating a malformed color
  filter file.

  Greuff of VOID.AT discovered various format string vulnerabilities in
  the error output handling routines of the Neon HTTP and WebDAV client
  library. The Common Vulnerabilities and Exposures (CVE) project
  assigned the id CAN-2004-0179 to the problem.


ColdFusion MX 6.1 is vulnerable to a denial of service 
attack if a malicious user repeatedly uploads files and 
interrupts each upload before it completes. 


Ciao e alla prossima!

Maggiori informazioni sulla lista security