Linux patch potpourri

Opinion
May 30, 20055 mins

* Patches from Debian, Gentoo, Mandriva, others * Beware Mytob mass-mailer variants

Today’s bug patches and security alerts:

Ubuntu patches squid

A flaw in the way the Squid proxy server handles certain DNS requests could result in a user getting a spoofed page. A patch is available.

https://www.ubuntulinux.org/support/documentation/usn/usn-129-1

Ubuntu fixes kernel flaws

The Hyper-Threading technology in Ubuntu’s Linux implementation, used with Intel processors, could leak information. An attacker could exploit this to start a malicious system thread. For more, go to:

https://www.ubuntulinux.org/support/documentation/usn/usn-131-1

**********

Debian patches ppxp

A flaw in the ppxp, a ppp application, opens user supplied log files could result in said user gaining root shell privileges. For more, go to:

https://www.debian.org/security/2005/dsa-725

Debian releases fix for libconvert-uulib-perl

According to an advisory from Debian, “Mark Martinec and Robert Lewis discovered a buffer overflow in Convert::UUlib, a Perl interface to the uulib library, which may result in the execution of arbitrary code.” For more, go to:

https://www.debian.org/security/2005/dsa-727

**********

Gentoo patches Cheetah

A flaw in Cheetah, “a Python-powered template engine and code generator,” could be exploited to run malicious code. An attacker could upload the code to the /tmp directory, running it with elevated privileges. For more, go to:

https://security.gentoo.org/glsa/glsa-200505-14.xml

Gentoo fixes Net-SNMP

A flaw in the way Net-SNMP uses temporary files could be exploited in a symlink attack against the affected machine. An attacker could use this to run malicious code. For more, go to:

https://security.gentoo.org/glsa/glsa-200505-18.xml

**********

Fedora, Ubuntu patch libtiff

A flaw in libtiff, a TIFF image handling library, could be exploited by a malicious TIFF file. The application used by Libtiff could be crashed or the attacker may be able to run arbitrary code on the affected machine. For more, go to:

Fedora:

http://www.networkworld.com/go2/0530bug1a.html

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-130-1

**********

Gentoo, Mandriva, Ubuntu patch gbd

A heap overflow in the GNU debugger application (gbd) could be exploited to run malicious code on the affected machine. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200505-15.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:095

Ubuntu:

https://www.ubuntulinux.org/support/documentation/usn/usn-135-1

**********

Today’s roundup of virus alerts:

Troj/Gpcode-B – Another variant of the worm that encrypts data files on the infected hosts, holding the decryption key ransom. It creates the file “ATTENTION!!!.txt”, which contains instructions, once it is complete. (Sophos)

W32/Mytob-I – A new Mytob mass-mailing worm that uses multiple e-mail attributes to spread. One message is entitled “F-R-E-E. American Idol Screen Saver”. The virus installs “scvhost.exe” in the Windows System folder and can block access to security Web sites. (Sophos)

W32/Mytob-AJ – Another Mytob mass mailer. This one sends messages that look like they come from microsoft.com or a .gov domain. It too blocks access to security-related Web sites. (Sophos)

W32/Mytob-AK – Yet another Mytob variant. This particular one drops “WINTASK.exe” on the infected machine. (Sophos)

W32/Mytob-L – This variant looks like an account warning message and drops “nec.exe” on the target host. (Sophos)

W32/Mytob-CM – Another Mytob variant that is very similar to Mytob-L above, including the use of “nec.exe” as its infected host file. (Sophos)

Troj/Bancban-CW – A Trojan that tries to steal information entered into banking Web sites. It drops “lsass.scr” on the infected machine. (Sophos)

W32/Kipis-U – An e-mail worm that spreads through messages with attachments ending in ADB, DBX, DHTM, DOC, EML, HTM, MSG, PAB, PHP, SHTM, TBB, TXT, UIN, WAB or XLS. It allows backdoor access and can download malicious files to the infected machine. Kipis-U infects the regedit.com and iexplorer.exe files. (Sophos)

W32/Agobot-SN – A new Agobot variant that spreads through network shares, attempting to exploit buffer overflows and the Windows RPC-DCOM vulnerability. It drops “hmlsvc32.exe” on the infected machine and can be used for a number of malicious purposes. (Sophos)

W32/Agobot-ATK – An Agobot variant that is very similar to Agobot-SN above, including using the same infected file: “hmlsvc32.exe”. (Sophos)

Troj/Molehut-A – A Windows Trojan that installs itself as the service “Mole”. No other details are available. (Sophos)

Troj/RNWatch-A – A backdoor Trojan that drops “winierun.exe” and “bfwinier.exe” on the infected machine. No word on what it can be used for. (Sophos)

W32/Kassbot-E – A network worm that copies itself to “spools.exe” in the Windows System directory. It targets information entered into specific banking sites and sends the stolen data to a Russian Web site. (Sophos)

W32/Banish-A – This Trojan spreads through e-mail messages looking like a payment or trouble ticket confirmation. It infects smss.exe, lsass.exe, csrss.exe, services.exe or winlogon.exe. (Sophos)