[FINAL] ACCEPT 22 candidates from LINUX cluster

To: cve-editorial-board-list@lists.mitre.org
Subject: [FINAL] ACCEPT 22 candidates from LINUX cluster
From: "Steven M. Christey" <coley@linus.mitre.org>
Date: Mon, 3 Jan 2000 21:53:34 -0500 (EST)
Delivery-Date: Mon Jan 3 21:58:06 2000
Sender: owner-cve-editorial-board-list@lists.mitre.org
I have made a Final Decision to ACCEPT the following candidates.
These candidates are now assigned CVE names as noted below.  The
resulting CVE entries will be published in the near future in a new
version of CVE.  Voting details and comments are provided at the end
of this report.

- Steve


Candidate	CVE Name
---------	----------
CAN-1999-0705	CVE-1999-0705
CAN-1999-0706	CVE-1999-0706
CAN-1999-0710	CVE-1999-0710
CAN-1999-0730	CVE-1999-0730
CAN-1999-0731	CVE-1999-0731
CAN-1999-0732	CVE-1999-0732
CAN-1999-0735	CVE-1999-0735
CAN-1999-0769	CVE-1999-0769
CAN-1999-0774	CVE-1999-0774
CAN-1999-0804	CVE-1999-0804
CAN-1999-0810	CVE-1999-0810
CAN-1999-0812	CVE-1999-0812
CAN-1999-0814	CVE-1999-0814
CAN-1999-0817	CVE-1999-0817
CAN-1999-0894	CVE-1999-0894
CAN-1999-0900	CVE-1999-0900
CAN-1999-0901	CVE-1999-0901
CAN-1999-0902	CVE-1999-0902
CAN-1999-0907	CVE-1999-0907
CAN-1999-0914	CVE-1999-0914
CAN-1999-0939	CVE-1999-0939
CAN-1999-0940	CVE-1999-0940


=================================
Candidate: CAN-1999-0705
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: XF:inn-inews-bo
Reference: REDHAT:RHSA1999033_01
Reference: CALDERA:CSSA-1999-026
Reference: SUSE:19990831 Security hole in INN
Reference: DEBIAN:19990907
Reference: BID:616

Buffer overflow in INN inews program.

Modifications:
  ADDREF SUSE:19990831 Security hole in INN

INFERRED VOTE: CAN-1999-0705 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in INN 31.08.99


=================================
Candidate: CAN-1999-0706
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990807
Reference: SUSE:19990817 Security hole in i4l (xmonisdn)
Reference: BID:583

Linux xmonisdn package allows local users to gain root privileges by
modifying the IFS or PATH environmental variables.

Modifications:
  ADDREF SUSE:19990817 Security hole in i4l (xmonisdn)
  DESC remove Debian - applies to various Linuxes

INFERRED VOTE: CAN-1999-0706 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security Hole in i4l (xmonisdn) 17.08.1999
 Stracener> Add Ref: CSSA-1999-019.0  Security problem with xmonisdn
 Stracener> The issue with xmonisdn is not isolated to the Debian isdnutils package. The
 Stracener> description should be rewritten to encompass a greater level of generality.
 Stracener> I suggest: "xmonisdn allows local users to gain root privileges by modifying
 Stracener> the IFS or PATH environmental variables."


=================================
Candidate: CAN-1999-0710
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: CF
Reference: REDHAT:RHSA-1999:025-01
Reference: BUGTRAQ:19990725 Redhat 6.0 cachemgr.cgi lameness

The RedHat squid program installs cachemegr.cgi in a public web
directory, allowing remote attackers to use it as an intermediary to
connect to other systems.

INFERRED VOTE: CAN-1999-0710 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> I recommend we categorize this as a Configuration Error (CF) as cachemgr.cgi
 Stracener> shipped with insecure default permissions.


=================================
Candidate: CAN-1999-0730
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990612

The zsoelim program in the Debian man-db package allows local users to
overwrite files via a symlink attack.

INFERRED VOTE: CAN-1999-0730 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0731
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990623 Security flaw in klock
Reference: CALDERA:CSSA-1999:017
Reference: SUSE:19990629 Security hole in Klock
Reference: BID:489

The KDE klock program allows local users to unlock a session using
malformed input.

Modifications:
  ADDREF SUSE:19990629 Security hole in Klock
  ADDREF BID:489
  CHANGEREF BUGTRAQ [add date]

INFERRED VOTE: CAN-1999-0731 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Red: SUSE: Security hole in Klock 29.06.1999:


=================================
Candidate: CAN-1999-0732
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: DEBIAN:19990823b
Reference: XF:smtp-refuser-tmp

The logging facilitity of the Debian smtp-refuser package allows local
users to delete arbitrary files using symbolic links.

INFERRED VOTE: CAN-1999-0732 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0735
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: ISS:KDE K-Mail File Creation Vulnerability
Reference: CALDERA:CSSA-1999:016
Reference: REDHAT:RHSA-1999:015-01

KDE K-Mail allows local users to gain privileges via a symlink attack
in temporary user directories.

Modifications:
  ADDREF REDHAT:RHSA-1999:015-01

INFERRED VOTE: CAN-1999-0735 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: REDHAT: RHSA-1999:015-01


=================================
Candidate: CAN-1999-0769
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: REDHAT:RHSA-1999:030-02
Reference: CALDERA:CSSA-1999:023.0
Reference: SUSE:19990829 Security hole in cron
Reference: DEBIAN:19990830 cron
Reference: BID:611

Vixie Cron on Linux systems allows local users to set parameters of
sendmail commands via the MAILTO environmental variable.

Modifications:
  ADDREF SUSE:19990829 Security hole in cron
  ADDREF DEBIAN:19990830 cron

INFERRED VOTE: CAN-1999-0769 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(1) Blake
   MODIFY(2) Cole, Stracener

COMMENTS:
 Cole> It is done by failure to validate the contents.
 Stracener> Add Ref: DEBIAN: cron  [30 Aug 1999]
 Stracener> Add Ref: SUSE: Security hole in cron  29.08.1999:


=================================
Candidate: CAN-1999-0774
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990830 Babcia Padlina Ltd. security advisory: mars_nwe buffer overf
Reference: REDHAT:RHSA1999037_01
Reference: SUSE:19990916 Security hole in mars nwe
Reference: BID:617

Buffer overflows in Mars NetWare Emulation (NWE, mars_nwe) package via
long directory names.

Modifications:
  ADDREF SUSE:19990916 Security hole in mars nwe

INFERRED VOTE: CAN-1999-0774 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in mars nwe 16.09.1999


=================================
Candidate: CAN-1999-0804
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990601 Linux kernel 2.2.x vulnerability/exploit
Reference: DEBIAN:19990607
Reference: CALDERA:CSSA-1999:013
Reference: SUSE:19990602 Denial of Service on the 2.2 kernel
Reference: REDHAT:19990603 Kernel Update
Reference: BID:302

Denial of service in Linux 2.2.x kernels via malformed ICMP packets
containing unusual types, codes, and IP header lengths.

Modifications:
  ADDREF REDHAT:19990603 Kernel Update

INFERRED VOTE: CAN-1999-0804 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: REDHAT: Kernel Update 03-June-1999


=================================
Candidate: CAN-1999-0810
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: REDHAT:RHSA-1999:022-02
Reference: CALDERA:CSSA-1999:018.0
Reference: SUSE:19990816 Security hole in Samba
Reference: DEBIAN:19990731 Samba

Denial of service in Samba NETBIOS name service daemon (nmbd).

Modifications:
  ADDREF CALDERA:CSSA-1999:018.0
  ADDREF SUSE:19990816 Security hole in Samba
  ADDREF DEBIAN:19990731 Samba

INFERRED VOTE: CAN-1999-0810 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: CALDERA: CSSA-1999:018.0
 Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999]
 Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999


=================================
Candidate: CAN-1999-0812
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: BUGTRAQ:19990721 Samba 2.0.5 security fixes
Reference: REDHAT:RHSA-1999:022-02
Reference: CALDERA:CSSA-1999:018.0
Reference: SUSE:19990816 Security hole in Samba
Reference: DEBIAN:19990731 Samba

Race condition in Samba smbmnt allows local users to mount file
systems in arbitrary locations.

Modifications:
  ADDREF CALDERA:CSSA-1999:018.0
  ADDREF SUSE:19990816 Security hole in Samba
  ADDREF DEBIAN:19990731 Samba

INFERRED VOTE: CAN-1999-0812 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: CALDERA: CSSA-1999:018.0
 Stracener> Add Ref: DEBIAN: Samba [31-Jul-1999]
 Stracener> Add Ref: SUSE: Security hole in Samba 16.08.1999


=================================
Candidate: CAN-1999-0814
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: unknown
Reference: REDHAT:RHSA-1999:027

Red Hat pump DHCP client allows remote attackers to gain root access
in some configurations.

INFERRED VOTE: CAN-1999-0814 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener
   NOOP(1) Christey

COMMENTS:
 Stracener> Recommend Category CF
 Christey> The advisory says that the problem occurs in some
 Christey> configurations, but is it a software bug that's only
 Christey> exploitable in some configs?  That'd be an SF... or is it
 Christey> a configuration that's insecure?  That'd be a CF.


=================================
Candidate: CAN-1999-0817
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991125
Category: SF
Reference: SUSE:19990915 Security hole in lynx

Lynx WWW client allows a remote attacker to specify command-line
parameters which Lynx uses when calling external programs to handle
certain protocols, e.g. telnet.

INFERRED VOTE: CAN-1999-0817 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0894
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: REDHAT:RHSA1999042-01

Red Hat Linux screen program does not use Unix98 ptys, allowing
local users to write to other terminals.

INFERRED VOTE: CAN-1999-0894 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0900
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9
Reference: DEBIAN:19991027 nis

Buffer overflow in rpc.yppasswdd allows a local user to gain
privileges via MD5 hash generation.

Modifications:
  ADDREF SUSE:19991023 Security hole in ypserv < 1.3.9
  ADDREF DEBIAN:19991027 nis

INFERRED VOTE: CAN-1999-0900 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in ypserv < 1.3.9  23.10.1999
 Stracener> Add Ref: DEBIAN: nis [27-OCT-1999]


=================================
Candidate: CAN-1999-0901
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9
Reference: DEBIAN:19991027 nis

ypserv allows a local user to modify the GECOS and login shells
of other users.

Modifications:
  ADDREF SUSE:19991023 Security hole in ypserv < 1.3.9
  ADDREF DEBIAN:19991027 nis

INFERRED VOTE: CAN-1999-0901 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in ypserv < 1.3.9  23.10.1999
 Stracener> Add Ref: DEBIAN: nis [27-OCT-1999]


=================================
Candidate: CAN-1999-0902
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: REDHAT:RHSA1999046-01
Reference: SUSE:19991023 Security hole in ypserv < 1.3.9
Reference: DEBIAN:19991027 nis

ypserv allows local administrators to modify password tables.

Modifications:
  ADDREF SUSE:19991023 Security hole in ypserv < 1.3.9
  ADDREF DEBIAN:19991027 nis

INFERRED VOTE: CAN-1999-0902 ACCEPT_ACK (2 accept, 4 ack, 0 review)

VOTES:
   ACCEPT(1) Cole
   MODIFY(1) Stracener
   NOOP(1) Blake

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in ypserv < 1.3.9  23.10.1999
 Stracener> Add Ref: DEBIAN: nis [27-OCT-1999]


=================================
Candidate: CAN-1999-0907
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990916 SuSE 6.2 /usr/bin/sccw read any file
Reference: SUSE:19990921 Security Hole in sccw-1.1 and earlier

sccw allows local users to read arbitrary files.

INFERRED VOTE: CAN-1999-0907 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(3) Cole, Blake, Stracener


=================================
Candidate: CAN-1999-0914
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: DEBIAN:19990104
Reference: BUGTRAQ:19990103 [SECURITY] New versions of netstd fixes buffer overflows
Reference: BID:324

Buffer overflow in the FTP client in the Debian GNU/Linux netstd
package.

INFERRED VOTE: CAN-1999-0914 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole
   NOOP(1) Christey

COMMENTS:
 Cole> This actually results in two DOS attacks, one in the bootp server
 Cole> and one in the ftp server.
 Christey> The bootp problem is CAN-1999-0389 in the UNIX-UNCONF
 Christey> cluster.


=================================
Candidate: CAN-1999-0939
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified:
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: BUGTRAQ:19990826 [SECURITY] New versions of epic4 fixes possible DoS vulnerability
Reference: DEBIAN:19990826
Reference: BID:605

Denial of service in Debian IRC Epic/epic4 client via a long string.

INFERRED VOTE: CAN-1999-0939 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Blake, Stracener
   MODIFY(1) Cole

COMMENTS:
 Cole> This can result in either the client crashing or arbitrary code
 Cole> being sent to the screen.


=================================
Candidate: CAN-1999-0940
Published:
Final-Decision: 20000104
Interim-Decision: 19991229
Modified: 19991228-01
Proposed: 19991214
Assigned: 19991208
Category: SF
Reference: CALDERA:CSSA-1999-031
Reference: SUSE:19990927 Security hole in mutt

Buffer overflow in mutt mail client allows remote attackers to execute
commands via malformed MIME messages.

Modifications:
  ADDREF SUSE:19990927 Security hole in mutt

INFERRED VOTE: CAN-1999-0940 ACCEPT (3 accept, 0 review)

VOTES:
   ACCEPT(2) Cole, Blake
   MODIFY(1) Stracener

COMMENTS:
 Stracener> Add Ref: SUSE: Security hole in mutt 27.09.1999:
Prev by Date: [FINAL] ACCEPT 14 candidates from RECENT-02 cluster
Next by Date: [FINAL] ACCEPT 17 candidates from UNIX-VEN cluster
Prev by thread: [FINAL] ACCEPT 14 candidates from RECENT-02 cluster
Next by thread: [FINAL] ACCEPT 17 candidates from UNIX-VEN cluster
Index(es):
- Date
- Thread