__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Red Hat Updated XFree86 Packages Provide Security and Bug Fixes [RHSA-2003:288-05] November 18, 2003 18:00 GMT Number O-027 [REVISED 21 Nov 2003] [REVISED 25 Nov 2003] [REVISED 02 Mar 2004] ______________________________________________________________________________ PROBLEM: There are three vulnerabilities addressed by this update. 1) Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 2) XDM does not verify whether the pam_setcred function call succeeds 3) XDM uses a weak session cookie generation algorithm that does not provide 128 bits of entropy SOFTWARE: Red Hat Linux 7.2, 7.3, 8.0, 9 Red Hat Enterprise Linux AS (v.2.1) Red Hat Enterprise Linux ES (v.2.1) Red Hat Enterprise Linux WS (v.2.1) Red Hat Linux Advanced Workstation 2.1 for the Itanium Processor Debian GNU/Linux 3.0 (woody) DAMAGE: 1) Allow local or remote user to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks 2) May allow normal user to gain root privileges by triggering error conditions within PAM modules 3) Allows remote attackers to guess session cookies and gain access to a user's session SOLUTION: Apply the appropriate patch. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. A local user would be able to gain root ASSESSMENT: privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-027.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2003-288.html ADDITIONAL INFORMATION: Red Hat RHSA-2003:289-07 https://rhn.redhat.com/errata/RHSA-2003-289.html Red Hat RHSA-2003:287-05 https://rhn.redhat.com/errata/RHSA-2003-287.html Debian Security Advisory DSA-443-1 xfree86 http://www.debian.org/security/2004/dsa-443 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2003-0690 CVE-2003-0692 CVE-2003-0730 ______________________________________________________________________________ REVISION HISTORY: 11/21/03 - Updated Software section and added link to Red Hat's Bulletin RHSA-2003:289-07. 11/25/03 - CIAC has revised O-027 to reflect Red Hat where they added Red Hat Linux 7.3 and 8.0 under the Affected Products Section and added a link to RHSA-2003:287-05. 03/02/04 - Added a link to patches available in the Debian Security Advisory DSA-443-1 xfree86. [***** Start RHSA-2003:288-05 *****] Updated XFree86 packages provide security and bug fixes Advisory: RHSA-2003:288-05 Last updated on: 2003-11-17 Affected Products: Red Hat Linux 9 CVEs (cve.mitre.org): CAN-2003-0690 CAN-2003-0692 CAN-2003-0730 Security Advisory Details: Updated XFree86 packages for Red Hat Linux 9 provide security fixes to font libraries and XDM. XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers in Red Hat Linux. XDM is the X display manager. Multiple integer overflows in the transfer and enumeration of font libraries in XFree86 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0730 to this issue. The risk to users from this vulnerability is limited because only clients can be affected by these bugs, however in some (non-default) configurations, both xfs and the X Server can act as clients to remote font servers. XDM does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the pam_krb5 module. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0690 to this issue. XDM uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0692 to this issue. Users are advised to upgrade to these updated XFree86 4.3.0 packages, which contain backported security patches and are not vulnerable to these issues. Updated packages: Red Hat Linux 9 -------------------------------------------------------------------------------- SRPMS: XFree86-4.3.0-2.90.43.src.rpm [ via FTP ] [ via HTTP ] 197d83599eabea9ab424a9390fe7d753 i386: XFree86-100dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 89864dfb981aaa052499e338cb85acd9 XFree86-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 31bbf1f22ba1fa6dea820b88e9a2059e XFree86-75dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] edd5121ecf72d39fd7581145c8b7fcbc XFree86-base-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 6f2aca8b9f3137b5da779c56eb73ec14 XFree86-cyrillic-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 5aa4659e2ec992b1b087e8d6c7190ff6 XFree86-devel-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] c6f870637e148f1da88e93181191f8da XFree86-doc-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 0a427f41d4558bdd0b5cbcc857b9f766 XFree86-font-utils-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] b3d53e1f9112010e9d3d2a866cfe4157 XFree86-ISO8859-14-100dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 826d4f7c2914b732ca43485266b3daad XFree86-ISO8859-14-75dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 89088cdc60bb8569da301d50e05d8f63 XFree86-ISO8859-15-100dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 91b062cc8015a5898894bfdf90d6ff99 XFree86-ISO8859-15-75dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 9f59c6547411fd257c45a953ab6e5921 XFree86-ISO8859-2-100dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 4e1c0ac39a47f968a2e7299be1efaf48 XFree86-ISO8859-2-75dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] bf9432be1a3ce7d4b24901420f07fb5d XFree86-ISO8859-9-100dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 96aa54b74718fdbdd72e8ccec8415b3f XFree86-ISO8859-9-75dpi-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] bc79f57efa4e1a845382827d9021fd1e XFree86-libs-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] d3b427915a56fcf2a4de2a26266f7903 XFree86-libs-data-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 83dd0d4ecae97e40f0bd47ed07309b93 XFree86-Mesa-libGL-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 5f72d9cb4aac84f6dfd2fc0439037272 XFree86-Mesa-libGLU-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 50b9edb13b54d3769602da54bb3183af XFree86-sdk-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 7b970292113693ae24285baca7effcd5 XFree86-syriac-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] aef8d7a6c6639c8ae9b5c8d554e458d2 XFree86-tools-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 99a9274e87f44f1186fb53acf0e47553 XFree86-truetype-fonts-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] 371796a37e8f6f15d07cbbb4a2d35539 XFree86-twm-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] aa51b88ccb54f3cf3b93cc02271d107e XFree86-xauth-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] d6c6c99723f3711befd8071567f79550 XFree86-xdm-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] f3b70dbc805125764fb118e6bd81fd3a XFree86-xfs-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] f97f679e9543b2506d41deff0afc2042 XFree86-Xnest-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] b37d0aefee6a1b379be3ab30cd1923df XFree86-Xvfb-4.3.0-2.90.43.i386.rpm [ via FTP ] [ via HTTP ] dd3a8c3271854b8e26dad948998e8952 Solution Before applying this update, make sure all previously released errata relevant to your system have been applied. To update all RPMs for your particular architecture, run: rpm -Fvh [filenames] where [filenames] is a list of the RPMs you wish to upgrade. Only those RPMs which are currently installed will be updated. Those RPMs which are not installed but included in the list will not be updated. Note that you can also use wildcards (*.rpm) if your current directory *only* contains the desired RPMs. Please note that this update is also available via Red Hat Network. Many people find this an easier way to apply updates. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date This will start an interactive process that will result in the appropriate RPMs being upgraded on your system. If up2date fails to connect to Red Hat Network due to SSL Certificate Errors, you need to install a version of the up2date client with an updated certificate. The latest version of up2date is available from the Red Hat FTP site and may also be downloaded directly from the RHN website: https://rhn.redhat.com/help/latest-up2date.pxt References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0730 -------------------------------------------------------------------------------- The listed packages are GPG signed by Red Hat, Inc. for security. Our key is available at: http://www.redhat.com/solutions/security/news/publickey/#key You can verify each package and see who signed it with the following command: rpm --checksig -v filename If you only wish to verify that each package has not been corrupted or tampered with, examine only the md5sum with the following command: md5sum filename The Red Hat security contact is security@redhat.com. More contact details at http://www.redhat.com/solutions/security/news/contact.html [***** End RHSA-2003:288-05 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-017: SQL Injection Vulnerability in Oracle9i Application Server O-018: Hewlett Packard Java VM Classloader (J2SE) O-019: Hewlett Packard NLSPATH may contain any path O-020: Sun Buffer Overflow Vulnerability in the CDE DtHelp Library O-021: Microsoft Cumulative Security Update for Internet Explorer O-022: Microsoft Buffer Overrun Vulnerability in Workstation Service O-023: Microsoft Word and Excel Vulnerabilities O-024: Microsoft Buffer Overrun in Microsoft FrontPage O-025: ISS PeopleSoft IClient Servlet Remote Command Execution Vulnerability O-026: Red Hat Updated PostgreSQL Packages Fix BUffer Overflow