Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Bugzilla Security Problems

by Noel Davis
08/26/2002

Welcome to Security Alerts, an overview of recent Unix and open source security advisories.

In this column, we look at buffer overflows in PostgreSQL, and UnixWare and Open UNIX's ndcfg; and problems in PHP, scponly, the kernel supplied with Red Hat Linux 7.3, Bugzilla, EPIC Script Light, UnixWare DNS Resolver, Mantis, an exploit for the Cisco IOS TFTP Server bug, and Red Hat's tcl/tk and expect.

PHP

A vulnerability has been reported in the mail() command under safe mode in PHP that can be exploited to execute arbitrary code with the permissions of the user ID running the PHP code. Versions 4.0.5 through 4.1.0 of PHP are reported to be vulnerable.

It is recommended that affected users upgrade to version 4.1.0 or newer of PHP as soon as possible.

PostgreSQL

Multiple buffer overflow vulnerabilities have been reported in the PostgreSQL database server. The buffer overflows are in the code for the lpad(), rpad(), and repeat() functions; datetime input; and TIME ZONE and TZ environmental variables. These buffer overflows require that a user be able to log in to the database server before they can exploit the vulnerability.

Related Reading

Essential System Administration
Tools and Techniques for Linux and Unix Administration
By Æleen Frisch

The PostgreSQL Global Development Team has released version 7.2.2, which repairs these buffer overflows.

scponly

scponly, a custom shell designed to allow only scp and sftp connections by an account, has a flaw that, under some circumstances, can be used by an attacker to bypass the account restrictions and execute arbitrary commands on the server. If a user has access to their $HOME/.ssh/environment directory, they can modify their environment and cause a custom script to be executed.

A suggested workaround for this problem is to remove the user's write permission from the user's home and $HOME/.ssh/ directories and provide them with an alternative directory that they can use to upload files.

Red Hat Linux 7.3 Kernel

Red Hat has released an updated kernel package for Red Hat Linux 7.3 that repairs: a problem in the code dealing with with the Intel i810/i815 chipset; a race condition in the file system dcache; several kernel memory exposures in the /proc file system; and security problems in the kernel drivers stradis, rio500, se401, usbvideo, and apm. Red Hat stated that they are not aware of any current exploits for these problems.

Users of Red Hat Linux 7.3 should upgrade to the latest kernel package.

Bugzilla

The Bugzilla bug-tracking system has several security problems, which include: an attacker can bypass some security restrictions with a direct call to queryhelp.cgi, an attacker can bypass IP restrictions by spoofing a reverse DNS host name, Bugzilla creates new directories and new params files with world-writable permissions, authenticated users with edit permissions can delete other users by directly calling editusers.cgi, a cross-site scripting problem with the realname field, potential password data leaking during an error, and an SQL injection attack against buglist.cgi.

It is recommended that all installations of Bugzilla be upgraded to an errata package containing version 2.14.3 or newer as soon as possible.

EPIC Script Light

EPIC Script Light is a script written for the Epic4 IRC client. It contains a remotely-exploitable bug that can be used to execute arbitrary code with the permissions of the user running Epic4.

Users of EPIC Script Light should upgrade as soon as possible.

UnixWare DNS Resolver

Caldera has released updated DNS resolver libraries for UnixWare 7.1.1 that repair a vulnerability that can be used in a denial-of-service attack or may, under some circumstances, lead to the execution of arbitrary code.

Caldera recommends that users of UnixWare 7.1.1 install the latest packages as soon as possible.

Mantis

Mantis, an open source, Web-based bug tracking system written with PHP and using the MySQL database server, has a bug that can result in the "view bugs" page to show a user both public and private projects, if no projects are available to the user.

Users should upgrade to Mantis version 0.17.5 or newer.

UnixWare and Open UNIX ndcfg

The UnixWare and Open UNIX command ndcfg is vulnerable to a buffer overflow that a local attacker can exploit to execute arbitrary code with increased permissions. This buffer overflow is reported to affect UnixWare 7.1.1 and Open UNIX 8.0.0. ndcfg raises its privileges with the security subsystem and not by being set user id or set group id.

It is recommended that users upgrade to the latest binaries available from Caldera.

Cisco IOS TFTP Server Exploit

A program to automate the exploitation of a buffer overflow in the Cisco IOS TFTP Server has been released. The program is designed to work on Cisco 1600 and 1000 series devices and is reported to give full access to the device when the exploit is successful. Cisco's advisory on this problem says that the impact is limited to a denial-of-service attack.

The Cisco advisory states: "As the affected versions are not scheduled to be fixed, and a simple workaround is available, a software upgrade is not required to address this vulnerability." Users should contact Cisco for information on possible work arounds.

Red Hat tcl/tk and expect

tcl/tk and expect under Red Hat Linux 7.0 and 7.1 have been reported to have a bug that, under some circumstances, can be exploited by a local attacker to execute arbitrary code. expect looks for its libraries first in /var/tmp, and tcl/tk looks first in the current working directory.

Red Hat has released updated packages to fix this problem.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.

Copyright © 2009 O'Reilly Media, Inc.