Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts C Call Vulnerabilities

by Noel Davis
08/12/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at buffer overflows in calloc(), Sun's ONE/iPlanet Web Server, dietlibc, OpenAFS, Kerberos 5 Administration System, and PNG libraries; and problems in FreeBSD's Berkeley Fast File System, CVS, iSCSI, Red Hat Secure Web Server, tinyproxy, and IRIX named.

calloc()

The implementation of the c language library call calloc(), provided as part of several c libraries, has a buffer overflow that under some circumstances may be exploitable. Libraries reported to be vulnerable include: multiple versions of glibc and glibc2, the GNU C++ Compiler, Microsoft Visual C++ 4.0, Microsoft Visual C++ 6.0, GNU GNAT 3.14 b, and dietlibc 0.18.

It has been reported that this buffer overflow has been repaired in the CVS repository of glibc. Users should watch for updates from their vendor.

Sun ONE/iPlanet Web Server

Sun's ONE/iPlanet Web Server is reported to be vulnerable to a buffer overflow in the code that handles "Chunked Encoding." This buffer overflow may be exploitable by a remote attacker to execute arbitrary code as root.

Related Reading

Essential System Administration
Tools and Techniques for Linux and Unix Administration
By Æleen Frisch

Users should contact Sun for a patch as soon as possible.

FreeBSD Berkeley Fast File System (FFS)

An error in the way that FreeBSD handles the calculation of file sizes in Berkeley Fast File Systems can be used by an attacker to access arbitrary locations in the file system. This error is exploited by creating a file too large to be handled by FreeBSD.

It is recommended that users apply the appropriate patch for their system as soon as possible. A possible workaround for file systems with 16k blocks is to set the value of RLIMIT_FSIZE to 63MB or less. This can be done by editing /etc/login.conf and modifying the default class; this, however, will not protect most systems from all possible attacks, as it is possible to log in using tools that do not use this file to set default values.

cvsd

The CVS daemon cvsd is vulnerable to a locally-exploitable, off-by-one bug in cvsd.

Affected users should watch their vendor for an update. Caldera has released updated packages for OpenLinux Server versions 3.1 and 3.1.1, and OpenLinux Workstation 3.1 and 3.1.1.

iSCSI

iSCSI is a protocol that allows SCSI access over IP networks. The Linux version (Linux-iSCSI) stores its configuration information, in some installations, in a world-readable file. This can potentially lead to the exposure of sensitive information. It has been reported that the Red Hat Linux Limbo Beta shipped with the configuration file world-readable.

The permissions of the file /etc/iscsi.conf should be restricted so that only root can read from or write to the file. Red Hat has announced that they will fix the permissions of the configuration file in the next release.

dietlibc

dietlibc, a small version of the libc library, is vulnerable to an integer overflow that can be used by an attacker to execute arbitrary code. If a set user id root application is linked against this library, a successful exploit could lead to a root compromise.

Affected users should upgrade to a repaired version as soon as possible. Debian has announced that dietlibc version 0.12-2.2 has been released for Debian stable woody and version 0.20-0cvs20020806 for Debian unstable.

OpenAFS

The OpenAFS distributed file system system is vulnerable to a integer-overflow-based attack that can be exploited by a remote attacker to execute arbitrary code on the server with the permissions of the user running OpenAFS (normally root). The integer overflow vulnerability is in the volserver, vlserver, ptserver, and buserver daemons. Versions of OpenAFS affected include: 1.0.x, 1.1.x, 1.2.x (up to and including OpenAFS 1.2.5), and 1.3.x (up to and including OpenAFS 1.3.2).

Users should upgrade to OpenAFS version 1.2.6 or newer as soon as possible or apply an available patch to their stable version of OpenAFS. No patch or update has been released for the OpenAFS-unstable series.

Kerberos 5 Administration System

The RPC library used by the Kerberos 5 administration system is vulnerable to an integer overflow that can be exploited by an attacker to gain root access to the server. It has been reported that the attacker must be able to authenticate to the server before exploiting the overflow.

Users should watch their vendor for updated packages. Debian has released new packages that fix this problem for both the stable and unstable versions.

Red Hat Secure Web Server

Red Hat has released updated packages for its Secure Web Server. The Red Hat Secure Web Server uses a version of the MM library that is vulnerable to a symbolic-link race condition.

Affected users should upgrade to these new packages.

tinyproxy

tinyproxy, a small HTTP proxy server, has a bug that may be exploitable by a remote attacker to execute code on the server with the permissions of the user running the proxy.

It is recommended that users upgrade to a repaired version as soon as possible. Users should consider disabling tinyproxy until it has been repaired.

BIND Vulnerabilities in IRIX named

SGI has released new BIND packages for IRIX. SGI distributes BIND with IRIX 6.5, but it is not installed by default.

Users who have BIND installed on their systems should upgrade to the new package, which installs version 4.9.8 patch level 1 in a chroot jail, or should upgrade to IRIX 6.5.18 when it becomes available.

PNG Libraries

Debian has released new packages for their PNG libraries to repair what they call a "potential buffer overflow" and to "implement a safety margin."

Users should consider upgrading to this package.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.