Michal Zalewski found an exploitable buffer overflow with regard to cancel messages and their verification.
This bug did only show up if ‘verifycancels’ was enabled in inn.conf which is not the default and has been disrecommended by upstream.
Andi Kleen found a bug in INN2 that makes innd crash for two byte headers. There is a chance this can only be exploited with uucp.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DSA-023. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(14860);
script_version("1.17");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/04");
script_cve_id("CVE-2001-0361");
script_xref(name:"DSA", value:"023");
script_name(english:"Debian DSA-023-1 : inn2 - local tempfile vulnerabilities");
script_summary(english:"Checks dpkg output for the updated package");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security-related update."
);
script_set_attribute(
attribute:"description",
value:
"- People at WireX have found several potential insecure
uses of temporary files in programs provided by INN2.
Some of them only lead to a vulnerability to symlink
attacks if the temporary directory was set to /tmp or
/var/tmp, which is the case in many installations, at
least in Debian packages. An attacker could overwrite
any file owned by the news system administrator, i.e.
owned by news.news.
- Michal Zalewski found an exploitable buffer overflow
with regard to cancel messages and their verification.
This bug did only show up if 'verifycancels' was enabled
in inn.conf which is not the default and has been
disrecommended by upstream.
- Andi Kleen found a bug in INN2 that makes innd crash for
two byte headers. There is a chance this can only be
exploited with uucp."
);
script_set_attribute(
attribute:"see_also",
value:"http://www.debian.org/security/2001/dsa-023"
);
script_set_attribute(
attribute:"solution",
value:"Upgrade the inn2 packages immediately."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
script_cwe_id(310);
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:inn2");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2");
script_set_attribute(attribute:"patch_publication_date", value:"2001/01/26");
script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"2.2", prefix:"inn2", reference:"2.2.2.2000.01.31-4.1")) flag++;
if (deb_check(release:"2.2", prefix:"inn2-dev", reference:"2.2.2.2000.01.31-4.1")) flag++;
if (deb_check(release:"2.2", prefix:"inn2-inews", reference:"2.2.2.2000.01.31-4.1")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | inn2 | p-cpe:/a:debian:debian_linux:inn2 |
debian | debian_linux | 2.2 | cpe:/o:debian:debian_linux:2.2 |