s0nIc
March 5th, 2002, 01:59 AM
CFS Multiple Buffer Overflow Vulnerabilities
Cryptographic File System (CFS) for Unix is a file system encryption package. Versions prior to 1.3.3-8.1 are vulnerable to a number of buffer overflow issues.
Whether or not these are exploitable to obtain privileges on the host is unknown at the present time. They can be used to initiate a denial of service condition against the encrypted file system, however.
Remote: Yes
Exploit: No exploit
Solution: Debian has provided fixed packages.
Matt Blaze cfs 1.3.3 Sparc:
Debian Upgrade cfs_1.3.3-8.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cfs_1.3.3- 8.1_sparc.deb
Matt Blaze cfs 1.3.3 PPC:
Debian Upgrade cfs_1.3.3-8.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfs_1.3.3- 8.1_powerpc.deb
Matt Blaze cfs 1.3.3 m68k:
Debian Upgrade cfs_1.3.3-8.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cfs_1.3.3- 8.1_m68k.deb
Matt Blaze cfs 1.3.3 ia32:
Debian Upgrade cfs_1.3.3-8.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cfs_1.3.3- 8.1_i386.deb
Matt Blaze cfs 1.3.3 ARM:
Debian Upgrade cfs_1.3.3-8.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cfs_1.3.3- 8.1_arm.deb
Matt Blaze cfs 1.3.3 Alpha:
Debian Upgrade cfs_1.3.3-8.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cfs_1.3.3- 8.1_alpha.deb
Matt Blaze cfs 1.3.3:
Debian Upgrade cfs_1.3.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/source/cfs_1.3.3.orig.tar.gz
Debian Patch cfs_1.3.3-8.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/cfs_1.3.3-8.1.diff.gz
Cryptographic File System (CFS) for Unix is a file system encryption package. Versions prior to 1.3.3-8.1 are vulnerable to a number of buffer overflow issues.
Whether or not these are exploitable to obtain privileges on the host is unknown at the present time. They can be used to initiate a denial of service condition against the encrypted file system, however.
Remote: Yes
Exploit: No exploit
Solution: Debian has provided fixed packages.
Matt Blaze cfs 1.3.3 Sparc:
Debian Upgrade cfs_1.3.3-8.1_sparc.deb
http://security.debian.org/dists/stable/updates/main/binary-sparc/cfs_1.3.3- 8.1_sparc.deb
Matt Blaze cfs 1.3.3 PPC:
Debian Upgrade cfs_1.3.3-8.1_powerpc.deb
http://security.debian.org/dists/stable/updates/main/binary-powerpc/cfs_1.3.3- 8.1_powerpc.deb
Matt Blaze cfs 1.3.3 m68k:
Debian Upgrade cfs_1.3.3-8.1_m68k.deb
http://security.debian.org/dists/stable/updates/main/binary-m68k/cfs_1.3.3- 8.1_m68k.deb
Matt Blaze cfs 1.3.3 ia32:
Debian Upgrade cfs_1.3.3-8.1_i386.deb
http://security.debian.org/dists/stable/updates/main/binary-i386/cfs_1.3.3- 8.1_i386.deb
Matt Blaze cfs 1.3.3 ARM:
Debian Upgrade cfs_1.3.3-8.1_arm.deb
http://security.debian.org/dists/stable/updates/main/binary-arm/cfs_1.3.3- 8.1_arm.deb
Matt Blaze cfs 1.3.3 Alpha:
Debian Upgrade cfs_1.3.3-8.1_alpha.deb
http://security.debian.org/dists/stable/updates/main/binary-alpha/cfs_1.3.3- 8.1_alpha.deb
Matt Blaze cfs 1.3.3:
Debian Upgrade cfs_1.3.3.orig.tar.gz
http://security.debian.org/dists/stable/updates/main/source/cfs_1.3.3.orig.tar.gz
Debian Patch cfs_1.3.3-8.1.diff.gz
http://security.debian.org/dists/stable/updates/main/source/cfs_1.3.3-8.1.diff.gz