Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at buffer overflows in
calloc(), Sun's ONE/iPlanet Web Server,
dietlibc, OpenAFS, Kerberos 5 Administration System, and PNG libraries; and problems in FreeBSD's Berkeley Fast File System, CVS, iSCSI, Red Hat Secure Web Server,
tinyproxy, and IRIX
The implementation of the c language library call
calloc(), provided as
part of several c libraries, has a buffer overflow that under some
circumstances may be exploitable. Libraries reported to be vulnerable
include: multiple versions of
glibc2, the GNU C++ Compiler,
Microsoft Visual C++ 4.0, Microsoft Visual C++ 6.0, GNU GNAT 3.14 b,
It has been reported that this buffer overflow has been repaired in
the CVS repository of
glibc. Users should watch for updates from
Sun's ONE/iPlanet Web Server is reported to be vulnerable to a buffer overflow in the code that handles "Chunked Encoding." This buffer overflow may be exploitable by a remote attacker to execute arbitrary code as root.
Users should contact Sun for a patch as soon as possible.
An error in the way that FreeBSD handles the calculation of file sizes in Berkeley Fast File Systems can be used by an attacker to access arbitrary locations in the file system. This error is exploited by creating a file too large to be handled by FreeBSD.
It is recommended that users apply the appropriate patch for their
system as soon as possible. A possible workaround for file systems
with 16k blocks is to set the value of
RLIMIT_FSIZE to 63MB or less.
This can be done by editing
/etc/login.conf and modifying the default
class; this, however, will not protect most systems from all possible
attacks, as it is possible to log in using tools that do not use this
file to set default values.
The CVS daemon
cvsd is vulnerable to a locally-exploitable, off-by-one
Affected users should watch their vendor for an update. Caldera has released updated packages for OpenLinux Server versions 3.1 and 3.1.1, and OpenLinux Workstation 3.1 and 3.1.1.
iSCSI is a protocol that allows SCSI access over IP networks. The Linux version (Linux-iSCSI) stores its configuration information, in some installations, in a world-readable file. This can potentially lead to the exposure of sensitive information. It has been reported that the Red Hat Linux Limbo Beta shipped with the configuration file world-readable.
The permissions of the file
/etc/iscsi.conf should be restricted so
that only root can read from or write to the file. Red Hat has announced that
they will fix the permissions of the configuration file in the next
dietlibc, a small version of the
libc library, is vulnerable to an integer overflow that can be used by an attacker to execute arbitrary code. If a set user id root application is linked against this
library, a successful exploit could lead to a root compromise.
Affected users should upgrade to a repaired version as soon as
possible. Debian has announced that
dietlibc version 0.12-2.2 has
been released for Debian stable woody and version 0.20-0cvs20020806
for Debian unstable.
The OpenAFS distributed file system system is vulnerable to a integer-overflow-based attack that can be exploited by a remote attacker to
execute arbitrary code on the server with the permissions of the user
running OpenAFS (normally root). The integer overflow vulnerability
is in the
buserver daemons. Versions of OpenAFS affected include: 1.0.x, 1.1.x, 1.2.x (up to and
including OpenAFS 1.2.5), and 1.3.x (up to and including OpenAFS 1.3.2).
Users should upgrade to OpenAFS version 1.2.6 or newer as soon as possible or apply an available patch to their stable version of OpenAFS. No patch or update has been released for the OpenAFS-unstable series.
The RPC library used by the Kerberos 5 administration system is vulnerable to an integer overflow that can be exploited by an attacker to gain root access to the server. It has been reported that the attacker must be able to authenticate to the server before exploiting the overflow.
Users should watch their vendor for updated packages. Debian has released new packages that fix this problem for both the stable and unstable versions.
Red Hat has released updated packages for its Secure Web Server. The Red Hat Secure Web Server uses a version of the MM library that is vulnerable to a symbolic-link race condition.
Affected users should upgrade to these new packages.
tinyproxy, a small HTTP proxy server, has a bug that may be
exploitable by a remote attacker to execute code on the server with
the permissions of the user running the proxy.
It is recommended that users upgrade to a repaired version as soon as
possible. Users should consider disabling
tinyproxy until it has been
SGI has released new BIND packages for IRIX. SGI distributes BIND with IRIX 6.5, but it is not installed by default.
Users who have BIND installed on their systems should upgrade to the new package, which
installs version 4.9.8 patch level 1 in a
chroot jail, or should
upgrade to IRIX 6.5.18 when it becomes available.
Debian has released new packages for their PNG libraries to repair what they call a "potential buffer overflow" and to "implement a safety margin."
Users should consider upgrading to this package.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.