SuSE Security Announcement: heimdal (SuSE-SA:2002:034)
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: heimdal
Announcement-ID: SuSE-SA:2002:034
Date: Mon Sep 30 17:00:00 CEST 2002
Affected products: SuSE Linux 7.2, 7.3, 8.0,
SuSE eMail Server,
SuSE Linux Connectivity Server,
SuSE Linux Enterprise Server 7,
SuSE Linux Office Server
Vulnerability Type: remote command execution
Severity (1-10): 8
SuSE default package: Yes
Cross References: http://www.pdc.kth.se/heimdal
Content of this advisory:
1) security vulnerability resolved: Various overflows in heimdal.
problem description, discussion, solution and upgrade information
2) pending vulnerabilities, solutions, workarounds:
- ghostview/kghostview
- fetchmail
3) standard appendix (further information)
______________________________________________________________________________
1) problem description, brief discussion, solution, upgrade information
The Heimdal package is a free Kerberos implementation offering flexible
authentication mechanisms based on the Kerberos 5 and Kerberos 4 scheme.
The SuSE Security Team has reviewed critical parts of the Heimdal
package such as the kadmind and kdc server. While doing so several
possible buffer overflows and other bugs have been uncovered and fixed.
Remote attackers can probably gain remote root access on unpatched systems.
Since these services run usually on authentication servers we consider
these bugs to be very serious. An update is strongly recommended if you are
using the Heimdal package.
Please download the update package for your distribution and verify its
integrity by the methods listed in section 3) of this announcement.
Then, install the package using the command "rpm -Fhv file.rpm" to apply
the update.
Our maintenance customers are being notified individually. The packages
are being offered to install from the maintenance web.
To be sure the update takes effect you have to restart the services which
belong to the heimdal package. As root execute the command
/etc/rc.d/kdc restart
If you are running other Kerberos based services such as hpropd make sure
you also restart them as well.
i386 Intel Platform:
SuSE-8.0
ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/heimdal-devel-0.4e-191.i386.rpm
9dcb318864c2ad7c8bb11a51b0c1e12a
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/heimdal-lib-0.4e-191.i386.rpm
7971b5a482b0f8521c0a8bd07182be36
ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/heimdal-0.4e-191.i386.rpm
fb6792204a9ec58f69a9dc7b4bcbed59
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/heimdal-0.4e-191.src.rpm
976383f4b7eeabcfc48ab4360a14586f
SuSE-7.3
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/heimdal-0.4d-132.i386.rpm
d2f174640a8d3b976eef3ff3afb642ee
ftp://ftp.suse.com/pub/suse/i386/update/7.3/sec2/heimdal-devel-0.4d-132.i386.rpm
fad86035d9b94aa50a9225c9e40618da
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/heimdal-0.4d-132.src.rpm
5d3afb07af86563e5eff5f0fad6113d4
SuSE-7.2
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec1/heimdal-lib-0.3e-83.i386.rpm
7a5f3f3e1c16481b6dea589bedd7ee44
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/heimdal-0.3e-83.i386.rpm
f94d2a88a2100b2b28496b1a8f3030c4
ftp://ftp.suse.com/pub/suse/i386/update/7.2/sec2/heimdal-devel-0.3e-83.i386.rpm
d4fa5f75cb1d422fe439a276fdfe8aca
source rpm:
ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/heimdal-0.3e-83.src.rpm
a42a3535e0bd5966eb8b9d017213dfb5
Sparc Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec1/heimdal-lib-0.4d-67.sparc.rpm
c50802492db0e8728d666f3b38b7ca5e
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/heimdal-0.4d-67.sparc.rpm
595d21ca05b8c886c0887189bb76487d
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/sec2/heimdal-devel-0.4d-67.sparc.rpm
1dfe9d49c83303ddf3490497dffce7fa
source rpm:
ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/heimdal-0.4d-67.src.rpm
7c61896ca257f79656e35bc59e1de734
PPC Power PC Platform:
SuSE-7.3
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec1/heimdal-lib-0.4d-113.ppc.rpm
e905e8c468b9eddef6b8a785d5241914
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/heimdal-0.4d-113.ppc.rpm
7b816aa786118e481be811be6974177f
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/sec2/heimdal-devel-0.4d-113.ppc.rpm
100f9fbe35d82dcf02aed98aa70103b8
source rpm:
ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/heimdal-0.4d-113.src.rpm
24467d712a359516ae60462c56dc97df
______________________________________________________________________________
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- ghostview/kghostview
Bufferoverflows have recently been discovered in these packages. They allow
attackers to execute arbitrary code with the privileges of the user
viewing special crafted documents created by the attacker. New packgaes will
soon be available on our ftp servers.
- fetchmail
Fetchmail contains remotely exploitable overflows in the mail header
parsing functions. In depth discussion of these problems can be found at
http://security.e-matters.de/advisories/032002.html.
New packages will soon be available on our ftp servers.
______________________________________________________________________________
3) standard appendix: authenticity verification, additional information
- Package authenticity verification:
SuSE update packages are available on many mirror ftp servers all over
the world. While this service is being considered valuable and important
to the free and open source software community, many users wish to be
sure about the origin of the package and its content before installing
the package. There are two verification methods that can be used
independently from each other to prove the authenticity of a downloaded
file or rpm package:
1) md5sums as provided in the (cryptographically signed) announcement.
2) using the internal gpg signatures of the rpm package.
1) execute the command
md5sum
Hi Sebastian, what about 8.1? Looks like heimdal 0.4e-186 is comming with it... Best regards, Ralf Ronneburger Sebastian Krahmer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: heimdal Announcement-ID: SuSE-SA:2002:034 Date: Mon Sep 30 17:00:00 CEST 2002 Affected products: SuSE Linux 7.2, 7.3, 8.0, SuSE eMail Server, SuSE Linux Connectivity Server, SuSE Linux Enterprise Server 7, SuSE Linux Office Server
SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/heimdal-devel-0.4e-191.i386.rpm 9dcb318864c2ad7c8bb11a51b0c1e12a ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/heimdal-lib-0.4e-191.i386.rpm 7971b5a482b0f8521c0a8bd07182be36 ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/heimdal-0.4e-191.i386.rpm fb6792204a9ec58f69a9dc7b4bcbed59 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/heimdal-0.4e-191.src.rpm 976383f4b7eeabcfc48ab4360a14586f
On Mon, 30 Sep 2002, Ralf Ronneburger wrote: Hi, for 8.1 the fix already made it in the packages. ;-) regards, Sebastian
Hi Sebastian,
what about 8.1? Looks like heimdal 0.4e-186 is comming with it...
Best regards,
Ralf Ronneburger
Sebastian Krahmer wrote:
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SuSE Security Announcement
Package: heimdal Announcement-ID: SuSE-SA:2002:034 Date: Mon Sep 30 17:00:00 CEST 2002 Affected products: SuSE Linux 7.2, 7.3, 8.0, SuSE eMail Server, SuSE Linux Connectivity Server, SuSE Linux Enterprise Server 7, SuSE Linux Office Server
SuSE-8.0 ftp://ftp.suse.com/pub/suse/i386/update/8.0/d4/heimdal-devel-0.4e-191.i386.rpm 9dcb318864c2ad7c8bb11a51b0c1e12a ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec1/heimdal-lib-0.4e-191.i386.rpm 7971b5a482b0f8521c0a8bd07182be36 ftp://ftp.suse.com/pub/suse/i386/update/8.0/sec3/heimdal-0.4e-191.i386.rpm fb6792204a9ec58f69a9dc7b4bcbed59 source rpm: ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/heimdal-0.4e-191.src.rpm 976383f4b7eeabcfc48ab4360a14586f
-- ~ ~ perl self.pl ~ $_='print"\$_=\47$_\47;eval"';eval ~ krahmer@suse.de - SuSE Security Team ~
Hi! On Mon, 30 Sep 2002, Sebastian Krahmer wrote:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- fetchmail Fetchmail contains remotely exploitable overflows in the mail header parsing functions. In depth discussion of these problems can be found at http://security.e-matters.de/advisories/032002.html. New packages will soon be available on our ftp servers.
According to the web page mentioned, fetchmail is only vulnerable in "multidrop" mode, i.e. when multiple users share one POP3 mailbox and fetchmail is asked to parse the mail headers to deliver them to the final recipient... Since this is not recommended anyway (being rather brain-dead), *most* users should be safe by default, right? Martin
On Tue, Oct 01, 2002 at 12:11:24PM +0200, Martin K?hling wrote:
2) Pending vulnerabilities in SuSE Distributions and Workarounds:
- fetchmail Fetchmail contains remotely exploitable overflows in the mail header parsing functions. In depth discussion of these problems can be found at http://security.e-matters.de/advisories/032002.html. New packages will soon be available on our ftp servers.
According to the web page mentioned, fetchmail is only vulnerable in "multidrop" mode, i.e. when multiple users share one POP3 mailbox and fetchmail is asked to parse the mail headers to deliver them to the final recipient...
Since this is not recommended anyway (being rather brain-dead), *most* users should be safe by default, right?
Yes and no. According to the e-matters advisory there are also buffer overflows when parsing email addresses. They think these are not exploitable. But there's one lesson I've learned over the years which is that if you say "can never be exploited" there's surely some creative spirit out there who gives his best to come up with an exploit. And quite often these folks do succeed... Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (4)
-
Martin Köhling
-
Olaf Kirch
-
Ralf Ronneburger
-
Sebastian Krahmer