Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts Real Problems

by Noel Davis
02/11/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PHP, Perl, the GNU C Library, OpenBSD, FreeBSD, NetBSD, Oracle9i, RealOne, RealPlayer, CVSup, gaim, GNU libtool, and mailman.

PHP

It has been reported that, under some conditions, PHP can leak the contents of variables from one virtual host to another virtual host on the same machine. According to the report, one of the conditions is that the variable register_globals = on must be set in the system php.ini file and that some virtual hosts have register_globals = off in their .htaccess configuration file.

Affected users should watch their vendors for an updated version of PHP. It is also suggested that for systems with virtual hosts register_globals be set to off in the system php.ini file unless there is a known reason to have it set to on.

Perl

The programming language Perl has a helper application named suidperl that is used to execute set user id Perl scripts safely. Bugs in suidperl can be exploited by an attacker to obtain information about files and the file system, in excess of the attackers permissions.

Affected users should watch their vendors for a repaired version of Perl.

GNU C Library

The GNU C library glibc has a bug in the resolver code that can be exploited (by a remote attacker with a DNS packet larger than 1024 bytes) to crash the application linked against glibc. In most cases, generating a large DNS packet would require that the attacker control a DNS server that is responding to a request. The bug is reported to affect glibc versions through 2.2.5.

Users should watch their vendors for an updated package.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

OpenBSD IPV6

It has been reported that OpenBSD 3.4 is vulnerable to a IPV6-related, remote denial-of-service attack. The report states that the vulnerability is exploited by setting a low MTU on the OpenBSD machine and then connecting with a IPV6 TCP packet.

This vulnerability has been repaired in OpenBSD-current, and a patch has been made available.

OpenBSD, FreeBSD, and NetBSD shmat() Function

There is a bug reported in the shmat() function call under OpenBSD, FreeBSD, and NetBSD that may be exploitable by a local attacker to write to kernel memory and gain unauthorized permissions. This bug is reported to affect FreeBSD versions 2.2.0 and earlier, NetBSD versions 1.3 and earlier, and OpenBSD versions 2.6 and earlier. The shmat() function call is used to map shared memory under the System V Shared Memory interface.

Patches to repair this bug have been released for OpenBSD 3.4-stable and 3.3-stable. FreeBSD users should upgrade to 4-STABLE, or to the RELENG_5_2, RELENG_5_1, RELENG_4_9, or RELENG_4_8, security dated after February 5th, 2004 or apply the available patch and recompile their kernels. NetBSD users should watch for a patch or update.

Oracle9i

The Oracle9i database is vulnerable to multiple buffer overflows that can be exploited to execute arbitrary code with the permissions of user account the database is running under (most often, oracle). Buffer overflows have been reported in the code involved with the functions NUMTOYMINTERVAL, NUMTODSINTERVAL, and FROM_TZ, and in the code that deals with the TIME_ZONE variable. It is reported that these vulnerabilities affect Oracle9i versions 9.2.0.3 and earlier.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Users should upgrade to version 9.2.0.4 of Oracle and apply Patch 3.

RealOne and RealPlayer

RealNetworks' RealOne and RealPlayer media players are vulnerable to an attack that uses carefully crafted .RP, .RT, .RAM, .RPM, or .SMIL files to cause a buffer overflow and arbitrary execute code with the permissions of the user running the player. In addition, another flaw in some versions of the player can be exploited to force the player to download files from an arbitrary web site.

It is recommended that users of RealOne and RealPlayer upgrade to repaired versions as soon as possible.

CVSup

CVSup is a package for distributing and updating collections of files (source, binary, hard links, symbolic links, and even device files) across a network. Several binary CVSup packages are reported to contain possibly untrusted paths in the RPATH variable in the cvsup, cvsupd, and cvpasswd executables. This can, under some conditions, lead to arbitrary code being executed with the permissions of the user running CVSup. Packages reported to be affected include cvsup-16.1h-2.i386.rpm by Anthon van der Neut and cvsup-16.1h-43.i586.rpm by SuSE Linux.

Affected users should watch their vendors for a repaired package, or recompile CVSup with either a safe value for RPATH or statically.

gaim

The instant-messaging client gaim is vulnerable to two buffer overflows that can, under some circumstances, be exploited by a remote attacker to execute arbitrary code with the permissions of the user running gaim.

Users of gaim should watch their vendors for an updated package. Updated packages have been released for SuSE Linux.

GNU libtool

GNU libtool is a set of scripts used to create shared libraries from object files. The script ltmain.sh is vulnerable to a temporary file symbolic-link race condition that can be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the user running libtool.

It is recommended that all developers and other users of libtool upgrade to version 1.5.2 or newer as soon as possible.

mailman

The mailing list manager mailman is vulnerable to a cross-site scripting-based attack in the admin interface that can, under some circumstances, be used to steal session cookies and make unauthorized modifications to a mailing list's configuration. This vulnerability is reported to affect versions of mailman from 2.1 up to (but not including) 2.1.4.

Affected users should upgrade to a repaired package from their vendors or to version 2.1.4 or newer.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the LinuxDevCenter.com.

Copyright © 2009 O'Reilly Media, Inc.