Red Hat 9062 Published by

---------------------------------------------------------------------
Fedora Legacy Update Advisory

Synopsis: Updated ncpfs package fixes security issues
Advisory ID: FLSA:152904
Issue date: 2006-05-12
Product: Red Hat Linux, Fedora Core
Keywords: Bugfix
CVE Names: CVE-2004-1079 CVE-2005-0013 CVE-2005-0014
---------------------------------------------------------------------



---------------------------------------------------------------------
1. Topic:

An updated ncpfs package is now available.

Ncpfs is a file system that understands the Novell NetWare(TM) NCP
protocol.

2. Relevant releases/architectures:

Red Hat Linux 7.3 - i386
Red Hat Linux 9 - i386
Fedora Core 1 - i386
Fedora Core 2 - i386
Fedora Core 3 - i386, x86_64

3. Problem description:

Buffer overflows were found in the nwclient program. An attacker, using
a long -T option, could possibly execute arbitrary code and gain
privileges. The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CVE-2004-1079 to this issue.

A bug was found in the way ncpfs handled file permissions. ncpfs did not
sufficiently check if the file owner matched the user attempting to
access the file, potentially violating the file permissions. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CVE-2005-0013 to this issue.

A buffer overflow was found in the ncplogin program. A remote malicious
NetWare server could execute arbitrary code on a victim's machine. The
Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CVE-2005-0014 to this issue.

All users of ncpfs are advised to upgrade to this updated package, which
contains backported fixes for these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which
are not installed but included in the list will not be updated. Note
that you can also use wildcards (*.rpm) if your current directory *only*
contains the desired RPMs.

Please note that this update is also available via yum and apt. Many
people find this an easier way to apply updates. To use yum issue:

yum update

or to use apt:

apt-get update; apt-get upgrade

This will start an interactive process that will result in the
appropriate RPMs being upgraded on your system. This assumes that you
have yum or apt-get configured for obtaining Fedora Legacy content.
Please visit http://www.fedoralegacy.org/docs for directions on how to
configure yum and apt-get.

5. Bug IDs fixed:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=152904

6. RPMs required:

Red Hat Linux 7.3:
SRPM:
http://download.fedoralegacy.org/redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-
6.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ncpfs-2.2.0.18-6
.1.legacy.i386.rpm
http://download.fedoralegacy.org/redhat/7.3/updates/i386/ipxutils-2.2.0.1
8-6.1.legacy.i386.rpm

Red Hat Linux 9:

SRPM:
http://download.fedoralegacy.org/redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.l
egacy.src.rpm

i386:
http://download.fedoralegacy.org/redhat/9/updates/i386/ncpfs-2.2.1-1.1.le
gacy.i386.rpm
http://download.fedoralegacy.org/redhat/9/updates/i386/ipxutils-2.2.1-1.1
.legacy.i386.rpm

Fedora Core 1:

SRPM:
http://download.fedoralegacy.org/fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.l
egacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/1/updates/i386/ncpfs-2.2.3-1.1.le
gacy.i386.rpm
http://download.fedoralegacy.org/fedora/1/updates/i386/ipxutils-2.2.3-1.1
.legacy.i386.rpm

Fedora Core 2:

SRPM:
http://download.fedoralegacy.org/fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.l
egacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/2/updates/i386/ncpfs-2.2.4-1.1.le
gacy.i386.rpm
http://download.fedoralegacy.org/fedora/2/updates/i386/ipxutils-2.2.4-1.1
.legacy.i386.rpm

Fedora Core 3:

SRPM:
http://download.fedoralegacy.org/fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3
.1.legacy.src.rpm

i386:
http://download.fedoralegacy.org/fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.
1.legacy.i386.rpm
http://download.fedoralegacy.org/fedora/3/updates/i386/ipxutils-2.2.4-5.F
C3.1.legacy.i386.rpm

x86_64:
http://download.fedoralegacy.org/fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC
3.1.legacy.x86_64.rpm
http://download.fedoralegacy.org/fedora/3/updates/x86_64/ipxutils-2.2.4-5
.FC3.1.legacy.x86_64.rpm


7. Verification:

SHA1 sum Package Name
---------------------------------------------------------------------

16740d3fa5e17a46429ad3586e4adf9a14a64f8d
redhat/7.3/updates/i386/ncpfs-2.2.0.18-6.1.legacy.i386.rpm
21f8520c8a2a3d60e55041c0db028e03549f8544
redhat/7.3/updates/i386/ipxutils-2.2.0.18-6.1.legacy.i386.rpm
6704d55f1f43360b6ad4211e2ca0f92e9f2174c8
redhat/7.3/updates/SRPMS/ncpfs-2.2.0.18-6.1.legacy.src.rpm
6acd3b7b7d09cb0e47769b43a888adf72a6278ac
redhat/9/updates/i386/ncpfs-2.2.1-1.1.legacy.i386.rpm
c49d83f88b229ce57c689d313eccb4df7b89f36b
redhat/9/updates/i386/ipxutils-2.2.1-1.1.legacy.i386.rpm
ac833c51fcf831bca3edef5d0275ccd1ae0a530f
redhat/9/updates/SRPMS/ncpfs-2.2.1-1.1.legacy.src.rpm
8379face8f68fe556d40bf32f72a5ab368e8eb6d
fedora/1/updates/i386/ncpfs-2.2.3-1.1.legacy.i386.rpm
eefaa839a26179ca5d41897eacf7bbf3c49661e1
fedora/1/updates/i386/ipxutils-2.2.3-1.1.legacy.i386.rpm
ede00a8544200515b5e09a7a40836d8f558cac9d
fedora/1/updates/SRPMS/ncpfs-2.2.3-1.1.legacy.src.rpm
1d32d2f0c39475f98206d78f87c587d4f96ddb70
fedora/2/updates/i386/ncpfs-2.2.4-1.1.legacy.i386.rpm
c095ce2d66184b605516231609cddc30520c3eb5
fedora/2/updates/i386/ipxutils-2.2.4-1.1.legacy.i386.rpm
874f8a48f85fef80615b5892a70d214f0935ed7a
fedora/2/updates/SRPMS/ncpfs-2.2.4-1.1.legacy.src.rpm
dc329c8b3558f67350486358b01b6a62f6f467af
fedora/3/updates/i386/ncpfs-2.2.4-5.FC3.1.legacy.i386.rpm
1ddd6caafe4a693d4a69d341be69600df446de3b
fedora/3/updates/i386/ipxutils-2.2.4-5.FC3.1.legacy.i386.rpm
db8660759a23570a6d06bda37c619e0931425ef8
fedora/3/updates/x86_64/ncpfs-2.2.4-5.FC3.1.legacy.x86_64.rpm
1e8bc7d10995fde90688b424f5001c14f7d3e3bc
fedora/3/updates/x86_64/ipxutils-2.2.4-5.FC3.1.legacy.x86_64.rpm
7f29dd88dcf31f19970e22c8c3af7267c62a5508
fedora/3/updates/SRPMS/ncpfs-2.2.4-5.FC3.1.legacy.src.rpm

These packages are GPG signed by Fedora Legacy for security. Our key is
available from http://www.fedoralegacy.org/about/security.php

You can verify each package with the following command:

rpm --checksig -v <filename>

If you only wish to verify that each package has not been corrupted or
tampered with, examine only the sha1sum with the following command:

sha1sum <filename>

8. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0013
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0014

9. Contact:

The Fedora Legacy security contact is <secnotice@fedoralegacy.org>. More
project details at http://www.fedoralegacy.org