AOH :: Linux :: Red Hat/Fedora

AOH :: Linux :: Red Hat/Fedora :: CIACL063.HTM
RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call

RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call Privacy and Legal Notice CIAC INFORMATION BULLETIN L-063: RedHat Linux Log Code Buffer Overflow/Unguarded Browser Call March 22, 2001 21:00 GMT


PROBLEM:	Two Security Vulnerabilities: Logging code flaw provides potential buffer overflow. There exists an unguarded system call to execute an external browser when receiving an URL.
PLATFORM:	Red Hat Linux 7.0 - alpha, i386
DAMAGE:	Unauthorized access to system.
SOLUTION:	Apply the patches provided below.

VULNERABILITY ASSESSMENT:	MEDIUM to HIGH. This is remotely exploitable.


[******  Start Red Hat Advisory Here ******]

---------------------------------------------------------------------
                   Red Hat, Inc. Red Hat Security Advisory


Synopsis:          Updated licq packages fixing security problems available
Advisory ID:       RHSA-2001:022-03
Issue date:        2001-02-28
Updated on:        2001-03-21
Product:           Red Hat Linux
Keywords:          licq buffer overrun system() system
Cross references:
Obsoletes:
---------------------------------------------------------------------


1. Topic:


Updated Red Hat Linux 7 packages fixing two security problems in licq are
available.


2. Relevant releases/architectures:


Red Hat Linux 7.0 - alpha, i386


3. Problem description:


licq as shipped with Red Hat Linux 7 is vulnerable to two security
problems:
An overrunnable buffer in its logging code, and an unguarded system()
call to execute an external browser when receiving an URL.


4. Solution:


To update all RPMs for your particular architecture, run:


rpm -Fvh 


where  is a list of the RPMs you wish to upgrade.  Only those
RPMs which are currently installed will be updated.  Those RPMs which are
not installed but included in the list will not be updated.  Note that you
can also use wildcards (*.rpm) if your current directly *only* contains the
desired RPMs.


Please note that this update is also available via Red Hat Network.  Many
people find this an easier way to apply updates.  To use Red Hat Network,
launch the Red Hat Update Agent with the following command:


up2date


This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.


5. Bug IDs fixed: (http://bugzilla.redhat.com/bugzilla for more info)




6. RPMs required:


Red Hat Linux 7.0:


SRPMS:
ftp://updates.redhat.com/7.0/SRPMS/licq-1.0.2-2.src.rpm


alpha:
ftp://updates.redhat.com/7.0/alpha/licq-1.0.2-2.alpha.rpm


i386:
ftp://updates.redhat.com/7.0/i386/licq-1.0.2-2.i386.rpm



7. Verification:


MD5 sum                           Package Name
--------------------------------------------------------------------------
ec5c4980d4d5355549d546d57ca22b94  7.0/SRPMS/licq-1.0.2-2.src.rpm
1db692b7becd9102d617b57153a9b9e9  7.0/alpha/licq-1.0.2-2.alpha.rpm
6a82d8024e0b8922a2ce846b6cba61dc  7.0/i386/licq-1.0.2-2.i386.rpm


These packages are GPG signed by Red Hat, Inc. for security.  Our key
is available at:
    http://www.redhat.com/corp/contact.html


You can verify each package with the following command:
    rpm --checksig  


If you only wish to verify that each package has not been corrupted or
tampered with, examine only the md5sum with the following command:
    rpm --checksig --nogpg 


8. References:

Copyright(c) 2000, 2001 Red Hat, Inc.


[******  End Red Hat Advisory Here ******]

CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.

UCRL-MI-119788
[Privacy and Legal Notice]

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better). Site design & layout copyright © 1986-2009 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.