TITLE:
NetBSD Update Fixes Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA17389

VERIFY ADVISORY:
http://secunia.com/advisories/17389/

CRITICAL:
Highly critical

IMPACT:
Security Bypass, Privilege escalation, DoS, System access

WHERE:
>From remote

OPERATING SYSTEM:
NetBSD 1.x
http://secunia.com/product/255/

DESCRIPTION:
Some vulnerabilities have been reported in NetBSD, which can be
exploited by malicious, local users to gain escalated privileges, or
by malicious users to cause a DoS (Denial of Service) and compromise
a vulnerable system, or by malicious people to bypass certain
security restrictions and compromise a user's system.

1) Some boundary errors exist in the telnet client. This can be
exploited by malicious people to compromise a user's system.

For more information:
SA14745

2) Multiple vulnerabilities exist in CVS. These can be exploited by
malicious users to cause a DoS (Denial of Service) and compromise a
vulnerable system, or by malicious, local users to perform certain
actions on a vulnerable system with escalated privileges.

For more information:
SA11641
SA11817
SA16553
SA14976

3) An integer overflow error in the FreeBSD compatibility code can
lead to heap corruption. This may be exploited by local users to
cause a DoS and potentially to execute arbitrary code with root
privileges.

4) Temporary files are being created insecurely in the "/tmp"
directory by "imake" when generating pre-formatted manual pages. This
can be exploited via symlink attacks to create or overwrite arbitrary
files with the privileges of the user running the affected script.

5) A vulnerability exists in OpenSSL, which potentially can be
exploited by malicious people to bypass certain security
restrictions.

For more information:
SA17151

6) A security issue exists in ntpd, which can cause ntpd to run with
incorrect group permissions.

For more information:
SA16602

7) An error exists the "ptrace()" function when checking for process
privileges before attaching to a process. This  can be exploited to
attach to a suid process that calls "exec()". This potentially allows
local privilege escalation by altering the behaviour of the process or
by injecting additional syscalls.

SOLUTION:
The vulnerabilities have been fixed in the following versions:
* NetBSD-current (October 31, 2005)
* NetBSD-1.6 branch (November 1, 2005)

PROVIDED AND/OR DISCOVERED BY:
3) Christer Oeberg
4) Jeremy C. Reed
7) Tavis Ormandy

ORIGINAL ADVISORY:
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-004.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-006.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-008.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-009.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-010.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-011.txt.asc
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2005-013.txt.asc

OTHER REFERENCES:
SA14745:
http://secunia.com/advisories/14745/

SA11641:
http://secunia.com/advisories/11641/

SA11817:
http://secunia.com/advisories/11817/

SA16553:
http://secunia.com/advisories/16553/

SA14976:
http://secunia.com/advisories/14976/

SA17151:
http://secunia.com/advisories/17151/

SA16602:
http://secunia.com/advisories/16602/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/


Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------