SUSE Security Summary Report (SUSE-SR:2006:026)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
______________________________________________________________________________
SUSE Security Summary Report
Announcement ID: SUSE-SR:2006:026
Date: Fri, 17 Nov 2006 15:00:00 +0000
Cross-References: CVE-2006-5794 CVE-2006-5864 CVE-2006-4339
CVE-2006-5467 CVE-2006-2362 CVE-2006-4809
CVE-2006-4808 CVE-2006-4807 CVE-2006-4806
CVE-2006-5461 CVE-2006-0743
Content of this advisory:
1) Solved Security Vulnerabilities:
- openssh return value checking
- gv stack overflow
- bind DNSSEC RSA signature checking problem
- ruby CGI denial of service problem
- binutils tekhex overflow
- imlib2-loaders denial of service and overflows
- avahi netlink message injection
- log4net syslog format string problem
2) Pending Vulnerabilities, Solutions, and Work-Arounds:
- None listed this week.
3) Authenticity Verification and Additional Information
______________________________________________________________________________
1) Solved Security Vulnerabilities
To avoid flooding mailing lists with SUSE Security Announcements for minor
issues, SUSE Security releases weekly summary reports for the low profile
vulnerability fixes. The SUSE Security Summary Reports do not list md5 sums
or download URLs like the SUSE Security Announcements that are released for
more severe vulnerabilities.
Fixed packages for the following incidents are already available on our FTP
server and via the YaST Online Update.
- openssh return value checking
The OpenSSH release 4.5 contains a security fix which has been
back ported to the openssh versions in our old products.
CVE-2006-5794: Incorrect return argument checking in the privilege
separation monitor was fixed. In case of an exploitable unprivileged
helper this could have been used to elevate privileges.
This is by default not exploitable, it requires another exploitable
problem in the privilege separated processes.
All SUSE Linux based products were affected by this problem.
- gv stack overflow
A stack overflow in the postscript viewer gv could be used to
exploited to execute code, if the user could be tricked into
viewing a prepared postscript file using gv. (CVE-2006-5864)
All SUSE Linux based products were affected.
- bind DNSSEC RSA signature checking problem
The RSA signature problem tracked by the Mitre CVE ID CVE-2006-4339
also affects the DNSSEC implementation in the BIND nameserver.
All SUSE Linux based distributions were affected by this problem.
- ruby CGI denial of service problem
A denial of service problem in the CGI multipart parsing of
"ruby" was fixed, which could have allowed remote attackers
to affect a denial of service attack against ruby based
web services. (CVE-2006-5467)
All SUSE Linux based products containing ruby were affected.
- binutils tekhex overflow
A buffer overflow was fixed in the tekhex handling in "binutils"
which could be used by attackers supplying files to "file" to crash
this program. (CVE-2006-2362)
All SUSE Linux based products were affected, except SLE 10 and 10.1,
which already included the fix at ship time.
- imlib2-loaders denial of service and overflows
Various security problems have been fixed in the imlib2 image
loaders:
CVE-2006-4809: A stack buffer overflow in loader_pnm.c could be used
by attackers to execute code by supplying a handcrafted PNM image.
CVE-2006-4808: A heap buffer overflow in loader_tga.c could
potentially be used by attackers to execute code by supplying a
handcrafted TGA image.
CVE-2006-4807: A out of bounds memory read in loader_tga.c could
be used to crash the imlib2 using application with a handcrafted
TGA image.
CVE-2006-4806: Various integer overflows in width*height calculations
could lead to heap overflows which could potentially be used to
execute code. Affected here are the ARGB, PNG, LBM, JPEG and TIFF
loaders.
Additionally loading of TIFF images on 64bit systems is now possible.
SUSE Linux 9.2 up to 10.1 and SLED 10 were affected by this problem.
Since the only common user of imlib2 is digikam, which usually does
not receive images from the network, chance of exploit-ability is low.
- avahi netlink message injection
Avahi did not check that the received netlink messages originated
from the kernel. This could be used by local attackers to inject
packets into avahi which could be used to inject bad netlink messages
into Avahi, confusing its routing code. (CVE-2006-5461).
SUSE Linux 10.1 and SLED 10 were affected by this problem.
- log4net syslog format string problem
This update fixes a format string exploit in the RemoteSyslogAppender
of the C# log4net.dll. It requires an attacker to be able to inject
prepared text into the logging framework.
The issue is tracked by Mitre CVE ID CVE-2006-0743 and was found
by Sebastian Krahmer of SUSE Security.
Affected was the log4net package in SUSE Linux 10.1 and all C#
applications that include a copy of log4net.dll. The latter were
not updated yet.
______________________________________________________________________________
2) Pending Vulnerabilities, Solutions, and Work-Arounds
None are listed this week.
______________________________________________________________________________
3) Authenticity Verification and Additional Information
- Announcement authenticity verification:
SUSE security announcements are published via mailing lists and on Web
sites. The authenticity and integrity of a SUSE security announcement is
guaranteed by a cryptographic signature in each announcement. All SUSE
security announcements are published with a valid signature.
To verify the signature of the announcement, save it as text into a file
and run the command
gpg --verify <file>
replacing <file> with the name of the file containing the announcement.
The output for a valid signature looks like:
gpg: Signature made <DATE> using RSA key ID 3D25D3D9
gpg: Good signature from "SuSE Security Team
participants (1)
-
Marcus Meissner