Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in PHP, Emacs,
pppoe, OpenVPN, RAR, Fedora Core X-Chat, HP-UX
libungif4, and GpsDrive.
A new version of PHP has been released that fixes many bugs, including some that are security-related. Security problems repaired include: problems in the file upload code, memory corruption bugs, several possible global overwriting bugs, and a memory corruption bug.
Users of PHP 4.3 and 4.4 are encouraged to upgrade to version 4.4.1 of PHP.
Emacs will execute arbitrary Lisp code when a text file is opened with code in the local variables section of the file. This affects Emacs versions 21.2.1 and earlier.
Users should upgrade to version 21.3 of Emacs. Users should also consider
(setq enable-local-variables nil) to their .emacs configuration
ftpd-ssl, an FTP server that supports SSL encryption, is reported to be vulnerable
to a buffer overflow that may be exploitable by a remote attacker to execute
arbitrary code with root's permissions.
Affected users should watch their vendors for a repaired version. Debian has released an updated version for sarge.
Lynx is a text-mode web browser for Unix machines. Some configurations of
Lynx contain a mistake in the configuration of the
handles that may be exploited by a remote attacker to execute arbitrary commands
on the victim's machine. Version 2.8.5 of Lynx is reported to be vulnerable,
as are versions distributed in Red Hat Linux, Gentoo, and Mandriva. Versions
of Lynx distributed with FreeBSD and OpenBSD are reported to not be vulnerable.
Users should upgrade to version 2.8.6dev.15 or newer as soon as possible.
A possible workaround for this problem is to add the line
the lynx.cfg file.
A recent security announcement claimed that if Roaring Penguin
over Ethernet) is installed set user id root, it is vulnerable to a bug that
can allow an attacker to overwrite arbitrary files on the system with root
permissions. This security announcement is misleading, as there are no reported
Linux distributions that install
rp-pppoe set user id root.
David Skoll of Roaring Penguin said about this problem: "Naturally, we
advise people not to run
pppoe SUID-root, just as we'd advise people not to
sed SUID-root. The whole
issue is nonsensical."
OpenVPN is a full-featured SSL VPN that runs on Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Solaris, and Windows 2000/XP. OpenVPN is reported to be vulnerable to an attack that could result in arbitrary code being executed on the victim's machine.
All users of OpenVPN should upgrade to version 2.0.4 or newer as soon as possible.
RAR, an archiving tool that can use .zip and .rar file formats, is reported to be vulnerable to a buffer overflow and a format-string-type vulnerability that could result in arbitrary code being executed with the user's permissions. Both of these vulnerabilities are exploited through a carefully crafted archive file that the user uncompresses using RAR.
All users of RAR should upgrade to version 3.5.1 or newer as soon as possible.
X-Chat is an IRC (Internet Relay Chat) client that runs under the X Window System and uses either the GTK+ toolkit or Gnome libraries. Patches have been released for Fedora Core 1 and 2 that repair a long-standing buffer overflow in X-Chat. The buffer overflow is in the code that handles Socks-5 proxies in X-Chat and may be exploitable, under some conditions, by a remote attacker to execute arbitrary code on the victim's machine. The victim must connect to a proxy server controlled by an attacker to be vulnerable to this buffer overflow.
It is recommended that Fedora Core 1 and 2 users stop using untrusted Socks-5 proxy servers until they have upgraded their X-Chat applications.
A unspecified security problem with
xterm under HP-UX has been announced by
HP. The announcement states that local users can exploit this vulnerability
to gain unauthorized access. This probably indicates access to the root account.
Versions B.11.00, B.11.11, and B.11.23 of HP-UX are reported to be affected.
Affected users should contact HP for more information. A suggested workaround
is to use the
xterm located at /usr/contrib/bin/X11R5/xterm. For example:
cp /usr/bin/X11/xterm /usr/bin/X11/xterm.nosuid
chmod 555 /usr/bin/X11/xterm.nosuid
cp /usr/contrib/bin/X11R5/xterm /usr/bin/X11/xterm
Also in Security Alerts:
libungif4 library is reported to be vulnerable to several attacks that
could result in a denial of service or, under some conditions, in arbitrary code
Users should watch their vendors for a repaired version of the library. Debian has released a repaired version for woody, sarge, and sid.
GpsDrive is a Linux and FreeBSD application that displays your position, provided from your NMEA-capable GPS receiver on a zoomable map. It supports GPS receivers that provide access via the NMEA protocol. A format-string-based vulnerability has been reported that may be exploitable by a local attacker to execute arbitrary code.
Debian has released repaired packages for sarge and sid. Users of other distributions should watch for a repaired version.
On a personal note, this is the last Security Alerts column I will be writing for O'Reilly. It has been a pleasure working with all of the wonderful people who have edited and produced the O'Reillynet website. If you are interested in a continuation of this column in some form elsewhere, send me an email at If there is enough interest I will continue doing a weekly or biweekly security report in some form.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.