Hello, Attached are patches for the 'undated' security advisories. After they are applied there will be four _unpatched_ advisories in that directory, three for 'xfree' and one for 'mc'. At this time it doesn't appear that I will find any useable information for those four advisories.
If all the patches are applied, sixteen files will be changed: 1bliss.(data,wml), 1doom.wml, 1land.data, 1ldso.wml, 1libdb.wml, 1lynx.wml, 1mgetty.wml, 1modutils.wml, 1parsecontrol.(data,wml), 1samba.wml, 1sperl.(data,wml), 1svgalib.wml, and 1teardrop.data. If there are any questions/problems with the attached patches, please let me know. If the patches look good, would someone commit them? Matt, thanks for your help with the previous ones. Next, I intend to start working on the advisories that link back into the Debian archives, it appears that there are several in the 1999 directory. Doug Jensen
diff -u old/1bliss.wml new/1bliss.wml --- old/1bliss.wml Fri Aug 15 12:00:18 2003 +++ new/1bliss.wml Wed Aug 13 07:54:01 2003 @@ -5,7 +5,18 @@ problem. This is why people should do as little as possible under root. +<p>Bliss was described on USENET in the fall of 1996. In February of 1997, it was reported in Linux and Bugtraq mailing lists. + +<p>Check for Bliss by searching all binaries for the following pattern:<br>E8ABD8FFFFC200003634 65643134373130363532 + <p>Disinfect with the --bliss-uninfect-files-please argument to an infected program. + +<p>References: +<ul> +<li> <a href="http://www.f-secure.com/v-descs/bliss.shtml";> F-Secure - bliss description</a> +<li> <a href="http://www.securitymap.net/sdm/docs/virus/unix-virus-459.html";>Viruses on Unix systems - by Rado Dejanovic</a> +<li> <a href="http://www2.norwich.edu/mkabay/iyir/1997.PDF";>InfoSec Year in Review -- 1997 (at Norwich.edu) (PDF)</a> +</ul> </define-tag> # do not modify the following line diff -u old/1doom.wml new/1doom.wml --- old/1doom.wml Fri Aug 15 12:00:18 2003 +++ new/1doom.wml Wed Aug 13 11:29:02 2003 @@ -1,6 +1,11 @@ <define-tag description>/tmp file attack</define-tag> <define-tag moreinfo> Doom startmouse creates replaceable /tmp/gpmscript + +<p>References: +<ul> +<li> <a href="http://www.insecure.org/sploits/linux.doom.gpm.killmouse.html";>BugTraq posting - doom<a/> +</ul> </define-tag> # do not modify the following line diff -u old/1land.data new/1land.data --- old/1land.data Fri Aug 15 12:00:18 2003 +++ new/1land.data Wed Aug 13 08:48:01 2003 @@ -1,5 +1,6 @@ <define-tag pagetitle>kernel</define-tag> <define-tag report_date>undated</define-tag> +<define-tag secrefs>CA-1997-28</define-tag> <define-tag packages>kernel-package</define-tag> <define-tag isvulnerable>no</define-tag> <define-tag fixed>N/A</define-tag> diff -u old/1ldso.wml new/1ldso.wml --- old/1ldso.wml Fri Aug 15 12:00:18 2003 +++ new/1ldso.wml Wed Aug 13 07:54:01 2003 @@ -3,6 +3,22 @@ Local users may gain root privileges by exploiting a buffer overflow in the dynamic linker (ld.so). +<p>The vulnerability may also allow remote users to obtain root access. + +<p>This paragraph was extracted from CIAC h-86 (see References):<br> + On Linux, programs linked against shared libraries execute some code + contained in /lib/ld.so (for a.out binaries) or /lib/ld-linux.so (for + ELF binaries), which loads the shared libraries and binds all symbols. + If an error occurs during this stage, an error message is printed and + the program terminates. The printf replacement used at this stage is + not protected from buffer overruns. + +<p>References: +<ul> +<li><a href="http://ciac.llnl.gov/ciac/bulletins/h-86.shtml";>CIAC Bulletin +h-86</a> +</ul> + <p>Fixes: ldso-1.8.11 or later </define-tag> diff -u old/1libdb.wml new/1libdb.wml --- old/1libdb.wml Fri Aug 15 12:00:18 2003 +++ new/1libdb.wml Wed Aug 13 07:54:01 2003 @@ -3,6 +3,16 @@ Libdb includes version of snprintf() function with bound checking disabled. +<p>From the libdb (1.85.4-4) changelog:<br> + * PORT/linux/Makefile: SECURITY FIX: don't build broken snprintf, which + ignores the bounds check, making programs which just *happen* to use + libdb vulnerable... + +<p>References: +<ul> +<li><a href="http://lists.insecure.org/lists/bugtraq/1997/Jul/0043.html";>BugTraq mail list - July 1997 (0043)</a> +</ul> + <p>Fixes: libdb 1.85.4-4 or later </define-tag> diff -u old/1lynx.wml new/1lynx.wml --- old/1lynx.wml Fri Aug 15 12:00:18 2003 +++ new/1lynx.wml Wed Aug 13 07:54:01 2003 @@ -2,6 +2,15 @@ <define-tag moreinfo> Restricted/anonymous lynx users can execute arbitrary commands. + +<p>Also, conceivably, a malicious webmaster could cause lynx users to execute +arbitrary commands. + +<p>References: +<ul> +<li><a href="http://www.cert.org/vendor_bulletins/VB-97.05.lynx";>CERT Vendor Bulletins - VB-97.05.lynx</a> +<li><a href="http://www.ciac.org/ciac/bulletins/h-82.shtml";>CIAC Bulletin h-82</a> +</ul> <p>Fixes: lynx 2.7.1-3 or later </define-tag> diff -u old/1mgetty.wml new/1mgetty.wml --- old/1mgetty.wml Fri Aug 15 12:00:18 2003 +++ new/1mgetty.wml Wed Aug 13 07:54:01 2003 @@ -2,6 +2,11 @@ <define-tag moreinfo> Improper quoting of user data in mgetty allowed users to execute commands as root. + +<p>References: +<ul> +<li><a href="http://lists.insecure.org/lists/bugtraq/1997/Jul/0161.html";> BugTraq mail list - Jul 1997 (0161) +</ul> </define-tag> diff -u old/1modutils.wml new/1modutils.wml --- old/1modutils.wml Fri Aug 15 12:00:18 2003 +++ new/1modutils.wml Wed Aug 13 07:54:01 2003 @@ -2,6 +2,14 @@ <P>Note:<BR> Use of request-route is not recommended. The diald package provides the same functionality in a much better way. In a future kernel, support for request-route will be dropped. + +<p>References: +<ul> +<li><a href="http://www.securitybugware.org/Linux/658.html";>securitybugware.org - SBWID-658 </a> +<li><a href="http://www.faqs.org/docs/Linux-mini/Kerneld.html";>Linux +Kerneld mini-HOWTO (search for request-route)</a> +</ul> + </define-tag> <define-tag description>request-route used a lock file in /tmp</define-tag> diff -u old/1parsecontrol.data new/1parsecontrol.data --- old/1parsecontrol.data Fri Aug 15 12:00:18 2003 +++ new/1parsecontrol.data Wed Aug 13 08:48:01 2003 @@ -1,5 +1,6 @@ <define-tag pagetitle>parse-control</define-tag> <define-tag report_date>undated</define-tag> +<define-tag secrefs>CA-1997-08</define-tag> <define-tag packages>inn</define-tag> <define-tag isvulnerable>no</define-tag> <define-tag fixed>Yes</define-tag> diff -u old/1parsecontrol.wml new/1parsecontrol.wml --- old/1parsecontrol.wml Fri Aug 15 12:00:18 2003 +++ new/1parsecontrol.wml Wed Aug 13 07:54:01 2003 @@ -1,6 +1,26 @@ <define-tag moreinfo> </define-tag> <define-tag description>INN 1.5 parsecontrol</define-tag> +<define-tag moreinfo> +This vulnerability may allow remote users to execute arbitrary commands +with the privileges of the user that manages the news server. +<p>Quoting from CA-1997-08:<br> +Remote, unauthorized users can execute arbitrary commands on the system +with the same privileges as the innd (INN daemon) process. Attacks may +reach news servers located behind Internet firewalls. + +<p>Versions of INN prior to 1.5.1 are vulnerable. + +<p>The Debian entry from CA-1997-08:<br> +The current version of INN shipped with Debian is 1.4unoff4. +However the "unstable" (or development) tree contains inn-1.5.1. + +<p>References: +<ul> +<li><a href="http://www.cert.org/summaries/CS-97.02.html";> CERT Special Edition about news servers</a> +</ul> + +</define-tag> # do not modify the following line #include '$(ENGLISHDIR)/security/undated/1parsecontrol.data' diff -u old/1samba.wml new/1samba.wml --- old/1samba.wml Fri Aug 15 12:00:18 2003 +++ new/1samba.wml Fri Aug 15 11:46:21 2003 @@ -1,6 +1,16 @@ <define-tag description>remote root exploit</define-tag> <define-tag moreinfo> Problem with Samba allowed remote users to get root access. + +<p>An exploit has been posted on the internet and the vunerability is +assumed to be actively exploited. + +<p>All versions of Samba prior to version 1.9.17p2 are vulnerable. + +<p>References: +<ul> +<li> <a href="http://www.cert.org/vendor_bulletins/VB-97.10.samba";>CERT Vendor Bulletin for Samba</a> +</ul> </define-tag> # do not modify the following line diff -u old/1sperl.data new/1sperl.data --- old/1sperl.data Fri Aug 15 12:00:18 2003 +++ new/1sperl.data Wed Aug 13 08:48:01 2003 @@ -1,5 +1,6 @@ <define-tag pagetitle>sperl</define-tag> <define-tag report_date>undated</define-tag> +<define-tag secrefs>CA-1997-17</define-tag> <define-tag packages>perl-suid</define-tag> <define-tag isvulnerable>yes</define-tag> <define-tag fixed>Yes</define-tag> diff -u old/1sperl.wml new/1sperl.wml --- old/1sperl.wml Fri Aug 15 12:00:18 2003 +++ new/1sperl.wml Wed Aug 13 07:54:02 2003 @@ -2,6 +2,12 @@ <define-tag moreinfo> Users can gain root access with suidperl version 5.003. + +<p> If called with crafted parameters, a buffer overflow condition in +suidperl could allow a user to execute arbitrary commands as root. + +<p> Unpatched versions of suidperl (sperl) 4.n and 5.n prior to 5.004, are +vunerable. </define-tag> diff -u old/1svgalib.wml new/1svgalib.wml --- old/1svgalib.wml Fri Aug 15 12:00:18 2003 +++ new/1svgalib.wml Wed Aug 13 07:54:02 2003 @@ -1,6 +1,17 @@ <define-tag description>local root exploit</define-tag> <define-tag moreinfo> svgalib didn't properly give up root privileges. + +<p>Quoting from the ksrt advisory:<br> +svgalib 1.2.10 and below do not properly revoke privileges, and through +the use of saved user ids, any svgalib application may still be vulnerable +to buffer overruns(stack overwrites). + +<p>References: +<ul> +<li> <a href="http://www.attrition.org/security/advisory/ksrt/ksrt.001.svgalib.zgv";>Attrition.org advisory ksrt.001</a> +<li> <a href="http://lists.insecure.org/lists/bugtraq/1997/Jun/0128.html";>BugTraq mail list June 1997 (0128)</a> +</ul> </define-tag> # do not modify the following line diff -u old/1teardrop.data new/1teardrop.data --- old/1teardrop.data Fri Aug 15 12:00:18 2003 +++ new/1teardrop.data Wed Aug 13 08:48:01 2003 @@ -1,5 +1,6 @@ <define-tag pagetitle>teardrop</define-tag> <define-tag report_date>undated</define-tag> +<define-tag secrefs>CA-1997-28</define-tag> <define-tag packages>kernel-package</define-tag> <define-tag isvulnerable>yes</define-tag> <define-tag fixed>Yes</define-tag>
