20060901-01-P

http://bugs.gentoo.org/show_bug.cgi?id=141728

http://downloads.avaya.com/css/P8/documents/100158840

RHSA-2012:0810

21427

21434

21437

21467

21880

22036

22296

22377

GLSA-200610-03

1016836

http://support.avaya.com/elmodocs2/security/ASA-2006-226.htm

DSA-1149

MDKSA-2006:140

MDVSA-2012:129

SUSE-SR:2006:020

RHSA-2006:0663

19455

ADV-2006-3234

https://bugzilla.redhat.com/show_bug.cgi?id=728536

ncompress-decompress-underflow(28315)

oval:org.mitre.oval:def:9373

An updated rhev-hypervisor5 package that fixes several security issues and various bugs is now available.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

The rhev-hypervisor5 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. The Red Hat Enterprise Virtualization Hypervisor is a dedicated Kernel-based Virtual Machine (KVM) hypervisor. It includes everything necessary to run and manage virtual machines: A subset of the Red Hat Enterprise Linux operating environment and the Red Hat Enterprise Virtualization Agent.

Note: Red Hat Enterprise Virtualization Hypervisor is only available for the Intel 64 and AMD64 architectures with virtualization extensions.

A heap overflow flaw was found in the way QEMU-KVM emulated the e1000 network interface card. A privileged guest user in a virtual machine whose network interface is configured to use the e1000 emulated driver could use this flaw to crash the host or, possibly, escalate their privileges on the host. (CVE-2012-0029)

A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query() function. An attacker able to send certain IGMP (Internet Group Management Protocol) packets to a target system could use this flaw to cause a denial of service. (CVE-2012-0207)

A double free flaw was discovered in the policy checking code in OpenSSL. A remote attacker could use this flaw to crash an application that uses OpenSSL by providing an X.509 certificate that has specially crafted policy extension data. (CVE-2011-4109)

An information leak flaw was found in the SSL 3.0 protocol implementation in OpenSSL. Incorrect initialization of SSL record padding bytes could cause an SSL client or server to send a limited amount of possibly sensitive data to its SSL peer via the encrypted connection. (CVE-2011-4576)

It was discovered that OpenSSL did not limit the number of TLS/SSL handshake restarts required to support Server Gated Cryptography. A remote attacker could use this flaw to make a TLS/SSL server using OpenSSL consume an excessive amount of CPU by continuously restarting the handshake. (CVE-2011-4619)

Red Hat would like to thank Nicolae Mogoreanu for reporting CVE-2012-0029, and Simon McVittie for reporting CVE-2012-0207.

This updated package provides updated components that include fixes for various security issues. These issues have no security impact on Red Hat Enterprise Virtualization Hypervisor itself, however. The security fixes included in this update address the following CVE numbers :

CVE-2006-1168 and CVE-2011-2716 (busybox issues)

CVE-2009-5029, CVE-2009-5064, CVE-2010-0830 and CVE-2011-1089 (glibc issues)

CVE-2011-1083, CVE-2011-3638, CVE-2011-4086, CVE-2011-4127 and CVE-2012-0028 (kernel issues)

CVE-2011-1526 (krb5 issue)

CVE-2011-4347 (kvm issue)

CVE-2010-4008, CVE-2011-0216, CVE-2011-2834, CVE-2011-3905, CVE-2011-3919 and CVE-2011-1944 (libxml2 issues)

CVE-2011-1749 (nfs-utils issue)

CVE-2011-4108 (openssl issue)

CVE-2011-0010 (sudo issue)

CVE-2011-1675 and CVE-2011-1677 (util-linux issues)

CVE-2010-0424 (vixie-cron issue)

This updated rhev-hypervisor5 package fixes various bugs.
Documentation of these changes will be available shortly in the Technical Notes document :

https://docs.redhat.com/docs/en-US/ Red_Hat_Enterprise_Virtualization_for_Servers/2.2/html/Technical_Notes / index.html

Users of Red Hat Enterprise Virtualization Hypervisor are advised to upgrade to this updated package, which fixes these issues.

The remote host is affected by the vulnerability described in GLSA-201312-02 (BusyBox: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in BusyBox. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could send a specially crafted DHCP request to       possibly execute arbitrary code or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. (CVE-2011-2716)

From Red Hat Security Advisory 2012:0810 :

Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

* Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927)

* If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep
-iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected.
(BZ#752134)

* Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command.
(BZ#782018)

* Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092)

* Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. (BZ#752132)

All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

From Red Hat Security Advisory 2012:0308 :

Updated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

* Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659)

* Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in '/dev/'. This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723)

All users of busybox are advised to upgrade to these updated packages, which correct these issues.

From Red Hat Security Advisory 2006:0663 :

Updated ncompress packages that address a security issue and fix bugs are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions).

Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim.
(CVE-2006-1168)

In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed :

* The display statistics and compression results in verbose mode were not shown when operating on zero length files.

* An attempt to compress zero length files resulted in an unexpected return code.

Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Multiple vulnerabilities was found and corrected in busybox :

The decompress function in ncompress allows remote attackers to cause a denial of service (crash), and possibly execute arbitrary code, via crafted data that leads to a buffer underflow (CVE-2006-1168).

A missing DHCP option checking / sanitization flaw was reported for multiple DHCP clients. This flaw may allow DHCP server to trick DHCP clients to set e.g. system hostname to a specially crafted value containing shell special characters. Various scripts assume that hostname is trusted, which may lead to code execution when hostname is specially crafted (CVE-2011-2716).

Additionally for Mandriva Enterprise Server 5 various problems in the ka-deploy and uClibc packages was discovered and fixed with this advisory.

The updated packages have been patched to correct these issues.

Update :

The wrong set of packages was sent out with the MDVSA-2012:129 advisory that lacked the fix for CVE-2006-1168. This advisory provides the correct packages.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Scientific Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

  - Prior to this update, the 'findfs' command did not     recognize Btrfs partitions. As a consequence, an error     message could occur when dumping a core file. This     update adds support for recognizing such partitions so     the problem no longer occurs.

  - If the 'grep' command was used with the '-F' and '-i'     options at the same time, the '-i' option was ignored.
    As a consequence, the 'grep -iF' command incorrectly     performed a case-sensitive search instead of an     insensitive search. A patch has been applied to ensure     that the combination of the '-F' and '-i' options works     as expected.

  - Prior to this update, the msh shell did not support the     'set -o pipefail' command. This update adds support for     this command.

  - Previously, the msh shell could terminate unexpectedly     with a segmentation fault when attempting to execute an     empty command as a result of variable substitution (for     example msh -c '$nonexistent_variable'). With this     update, msh has been modified to correctly interpret     such commands and no longer crashes in this scenario.

  - Previously, the msh shell incorrectly executed empty     loops. As a consequence, msh never exited such a loop     even if the loop condition was false, which could cause     scripts using the loop to become unresponsive. With this     update, msh has been modified to execute and exit empty     loops correctly, so that hangs no longer occur.

All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Scientific Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

  - Prior to this update, the cp command wrongly returned     the exit code 0 to indicate success if a device ran out     of space while attempting to copy files of more than 4     gigabytes. This update modifies BusyBox, so that in such     situations, the exit code 1 is returned. Now, the cp     command shows correctly whether a process failed.

  - Prior to this update, the findfs command failed to check     all existing block devices on a system with thousands of     block device nodes in '/dev/'. This update modifies     BusyBox so that findfs checks all block devices even in     this case.

All users of busybox are advised to upgrade to these updated packages, which correct these issues.

Updated busybox packages that fix two security issues and several bugs are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

* Prior to this update, the 'findfs' command did not recognize Btrfs partitions. As a consequence, an error message could occur when dumping a core file. This update adds support for recognizing such partitions so the problem no longer occurs. (BZ#751927)

* If the 'grep' command was used with the '-F' and '-i' options at the same time, the '-i' option was ignored. As a consequence, the 'grep
-iF' command incorrectly performed a case-sensitive search instead of an insensitive search. A patch has been applied to ensure that the combination of the '-F' and '-i' options works as expected.
(BZ#752134)

* Prior to this update, the msh shell did not support the 'set -o pipefail' command. This update adds support for this command.
(BZ#782018)

* Previously, the msh shell could terminate unexpectedly with a segmentation fault when attempting to execute an empty command as a result of variable substitution (for example msh -c '$nonexistent_variable'). With this update, msh has been modified to correctly interpret such commands and no longer crashes in this scenario. (BZ#809092)

* Previously, the msh shell incorrectly executed empty loops. As a consequence, msh never exited such a loop even if the loop condition was false, which could cause scripts using the loop to become unresponsive. With this update, msh has been modified to execute and exit empty loops correctly, so that hangs no longer occur. (BZ#752132)

All users of busybox are advised to upgrade to these updated packages, which contain backported patches to fix these issues.

Updated busybox packages that fix two security issues and two bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

BusyBox provides a single binary that includes versions of a large number of system commands, including a shell. This can be very useful for recovering from certain types of system failures, particularly those involving broken shared libraries.

A buffer underflow flaw was found in the way the uncompress utility of BusyBox expanded certain archive files compressed using Lempel-Ziv compression. If a user were tricked into expanding a specially crafted archive file with uncompress, it could cause BusyBox to crash or, potentially, execute arbitrary code with the privileges of the user running BusyBox. (CVE-2006-1168)

The BusyBox DHCP client, udhcpc, did not sufficiently sanitize certain options provided in DHCP server replies, such as the client hostname.
A malicious DHCP server could send such an option with a specially crafted value to a DHCP client. If this option's value was saved on the client system, and then later insecurely evaluated by a process that assumes the option is trusted, it could lead to arbitrary code execution with the privileges of that process. Note: udhcpc is not used on Red Hat Enterprise Linux by default, and no DHCP client script is provided with the busybox packages. (CVE-2011-2716)

This update also fixes the following bugs :

* Prior to this update, the cp command wrongly returned the exit code 0 to indicate success if a device ran out of space while attempting to copy files of more than 4 gigabytes. This update modifies BusyBox, so that in such situations, the exit code 1 is returned. Now, the cp command shows correctly whether a process failed. (BZ#689659)

* Prior to this update, the findfs command failed to check all existing block devices on a system with thousands of block device nodes in '/dev/'. This update modifies BusyBox so that findfs checks all block devices even in this case. (BZ#756723)

All users of busybox are advised to upgrade to these updated packages, which correct these issues.

Lack of bounds checking in the decompression routine could result in a heap buffer underflow. Attackers could potentially exploit this to execute arbitrary code by tricking users into decompressing a specially crafted archive. (CVE-2006-1168)

Tavis Ormandy, of the Google Security Team, discovered that ncompress, when uncompressing data, performed no bounds checking, which could allow a specially crafted datastream to underflow a .bss buffer with attacker controlled data.

Updated packages have been patched to correct this issue.

Tavis Ormandy from the Google Security Team discovered a missing boundary check in ncompress, the original Lempel-Ziv compress and uncompress programs, which allows a specially crafted datastream to underflow a buffer with attacker controlled data.

The remote host is affected by the vulnerability described in GLSA-200610-03 (ncompress: Buffer Underflow)

    Tavis Ormandy of the Google Security Team discovered a static buffer     underflow in ncompress.
  Impact :

    An attacker could create a specially crafted LZW archive, that when     decompressed by a user or automated system would result in the     execution of arbitrary code with the permissions of the user invoking     the utility.
  Workaround :

    There is no known workaround at this time.

Updated ncompress packages that address a security issue and fix bugs are now available.

This update has been rated as having low security impact by the Red Hat Security Response Team.

The ncompress package contains file compression and decompression utilities, which are compatible with the original UNIX compress utility (.Z file extensions).

Tavis Ormandy of the Google Security Team discovered a lack of bounds checking in ncompress. An attacker could create a carefully crafted file that could execute arbitrary code if uncompressed by a victim.
(CVE-2006-1168)

In addition, two bugs that affected Red Hat Enterprise Linux 4 ncompress packages were fixed :

* The display statistics and compression results in verbose mode were not shown when operating on zero length files.

* An attempt to compress zero length files resulted in an unexpected return code.

Users of ncompress are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

ID	Name	Product	Family	Severity
79283	RHEL 5 : rhev-hypervisor5 (RHSA-2012:0168)	Nessus	Red Hat Local Security Checks	high
71168	GLSA-201312-02 : BusyBox: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69593	Amazon Linux AMI : busybox (ALAS-2012-103)	Nessus	Amazon Linux Local Security Checks	high
68550	Oracle Linux 6 : busybox (ELSA-2012-0810)	Nessus	Oracle Linux Local Security Checks	high
68479	Oracle Linux 5 : busybox (ELSA-2012-0308)	Nessus	Oracle Linux Local Security Checks	high
67406	Oracle Linux 3 / 4 : ncompress (ELSA-2006-0663)	Nessus	Oracle Linux Local Security Checks	high
61978	Mandriva Linux Security Advisory : busybox (MDVSA-2012:129-1)	Nessus	Mandriva Local Security Checks	high
61337	Scientific Linux Security Update : busybox on SL6.x i386/x86_64 (20120620)	Nessus	Scientific Linux Local Security Checks	high
61257	Scientific Linux Security Update : busybox on SL5.x i386/x86_64 (20120221)	Nessus	Scientific Linux Local Security Checks	high
59921	CentOS 6 : busybox (CESA-2012:0810)	Nessus	CentOS Local Security Checks	high
59586	RHEL 6 : busybox (RHSA-2012:0810)	Nessus	Red Hat Local Security Checks	high
58062	RHEL 5 : busybox (RHSA-2012:0308)	Nessus	Red Hat Local Security Checks	high
29527	SuSE 10 Security Update : ncompress (ZYPP Patch Number 1911)	Nessus	SuSE Local Security Checks	high
23889	Mandrake Linux Security Advisory : ncompress (MDKSA-2006:140)	Nessus	Mandriva Local Security Checks	high
22691	Debian DSA-1149-1 : ncompress - buffer underflow	Nessus	Debian Local Security Checks	high
22522	GLSA-200610-03 : ncompress: Buffer Underflow	Nessus	Gentoo Local Security Checks	high
22345	RHEL 2.1 / 3 / 4 : ncompress (RHSA-2006:0663)	Nessus	Red Hat Local Security Checks	high
22338	CentOS 3 / 4 : ncompress (CESA-2006:0663)	Nessus	CentOS Local Security Checks	high

CVE-2006-1168

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins