Trouble in the Kernel, VMware, and PostgreSQLby Noel Davis
Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in the Linux kernel, VMware, PostgreSQL, Squid, MySQL,
mailman, Apple OSX HFS+,
movemail with GNU Emacs or XEmancs, KStars,
- Linux Kernel Problems
- MySQL mysqlaccess Script
- Apple OSX HFS+
- GNU Emacs and XEmacs
Linux Kernel Problems
Several problems in the Linux kernel have been reported, including: an authorization problem in the
shmctl() function call that could result in unauthorized access to data; a buffer overflow in nls_ascii.c that could cause a kernel panic; a race condition in the
setsid() function; and a flaw in the
iptables code that could be used to crash the machine or to bypass a firewall rule.
User should consider upgrading to the latest production release of the Linux kernel.
Under some conditions, VMware can load shared libraries from a world-writable directory. Exploiting this vulnerability can allow the attacker to execute arbitrary code with the permissions of the user running VMware.
All users of VMware should upgrade to the latest version. As a workaround, users can create a file named /tmp/rrdharan to prevent the exploitation of this vulnerability.
Several buffer overflows have been reported in the PL/PgSQL component of the PostgreSQL database that may, under some conditions, be exploitable by an attacker to execute arbitrary code with the permissions of the PostgreSQL user account.
It is recommended that users watch their vendors for a patch or upgrade to PostgreSQL version 8.0.1-r1 or newer. Debian has released a updated version of PostgreSQL for Debian GNU/Linux 3.0 (alias woody) that they identify as 7.2.1-2woody8.
MySQL mysqlaccess Script
The mysqlaccess script distributed with MySQL is reported to be vulnerable to an attack based on a temporary-file, symbolic link race condition that may be exploitable to overwrite arbitrary files on the system with the permissions of the user running the script (often root).
The mysqlaccess script is reported to have been repaired in the latest available release of MySQL.
A directory traversal vulnerability has been reported in the Mailman mailing list manager that may result in an attacker gaining access to the mailing list account and password information of users. Systems running Apache 2.0 are reported to not be vulnerable. This problem is reported to affect Mailman 2.1 versions through version 2.1.5.
Users should upgrade to version 2.1.6 of Mailman as soon as possible and should consider reseting their users' passwords. If the users passwords are reset the cron/mailpasswds script can be run to email the new passwords to the users. A temporary workaround that will break private archives is to remove the mailman/cgi-bin/private executable.
Apple OSX HFS+
Under certain conditions, Internet-based applications, such as web servers, that provide remote users access to files and data residing on an Apple OSX HFS+ filesystem may be manipulated into disclosing unauthorized information, such as the source code, from server-parsed files, such as PHP pages. This problem affects Mac OS X version 10.2 and earlier.
All users should apply the available fixes from Apple.
GNU Emacs and XEmacs
When using the
movemail utility with GNU Emacs and XEmacs, a buffer overflow can be triggered by a remote attacker who controls the POP email server from which the victim is downloading mail. Successfully exploiting this buffer overflow would allow the attacker to execute arbitrary code with the permissions of the user and the mail group.
Users should watch their vendors for a repaired GNU Emacs and XEmacs package. Repaired packages have been announced for Red Hat Linux, Debian GNU/Linux, Mandrake Linux, and Ubuntu.
Squid is a free, open source Web proxy cache server that provides proxying and caching of HTTP, FTP, and other URL types; HTTP server acceleration; proxying for SSL; transparent caching; caching of DNS queries; and extensive access controls. Several problems in Squid have been announced, including: when using LDAP, unauthorized users may be able to connect by using a variant of an authorized user's login name; a buffer overflow in the code that handles a response from a gopher server that can result in Squid crashing if a response is too long; a cache-poisoning-based vulnerability; and a buffer overflow in the code that handles WCCP packets that may be exploitable to crash Squid or to execute arbitrary code with the permissions of the Squid user.
It is recommended that users apply the available patches for Squid and recompile, or that they watch their vendors for an updated version.
KStars, a desktop planetarium for KDE, contains a buffer overflow in the
fliccd daemon that may be exploitable under some conditions to execute arbitrary code with increased permissions.
fliccd is only reported to be vulnerable when it is run in daemon mode.
Affected users of KStars should watch their vendors for a repaired version. Repaired versions have been released for Gentoo Linux.
The touch-typing training game
typespeed is vulnerable to a format-string-based attack that may be exploited by a local attacker to gain (in most cases) group games permission.
Users should watch their vendors for a updated version and should consider disabling
typespeed or removing the set group id bit until it has been repaired.
Also in Security Alerts:
awstats, a web-based, web server log analyzing tool, is vulnerable to an attack that can be exploited by a remote attacker to execute arbitrary commands with the permissions of the user account running the web server.
It is recommended that users upgrade to
awstats version 6.4 or newer as soon as possible.
The sound visualization utility
synaesthesia does not properly drop its privileges when it accesses its user-owned configuration and mixer files, and can be abused to read arbitrary files on the system.
Affected users should watch their vendors for a repaired version.
Read more Security Alerts columns.
Return to LinuxDevCenter.com