Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at buffer overflows in
kghostview, and WN Server; and problems in
Several remotely-exploitable vulnerabilities in the Apache Web server have been reported. The reported vulnerabilities are:
A problem in the shared memory scoreboard that can be exploited to send a signal as root to any process running on the system, causing a denial of service. Any user who can execute code with the permissions of the user id running Apache can exploit this vulnerability. This includes users who can execute CGI applications and remote attackers that can exploit bugs in CGI applications to execute code.
On systems that allow wildcard DNS lookups and have
set to off, Apache is vulnerable to a cross-site scripting attack
on the default 404 page. This attack can be used to execute code in
the viewer's Web browser.
There are buffer overflows in ApacheBench which may be exploitable as part of a denial-of-service attack and may, under some conditions, be used to execute code with the permissions of the user running ApacheBench.
It is highly recommended that users upgrade to version 1.3.27 of Apache as soon as possible.
The mail application
fetchmail is vulnerable to several buffer
overflows. One buffer overflow, in the code that parses the
"Received" portion of the header of an incoming email message, can be
exploited to execute code with the permissions of the user running
fetchmail (root, in some cases).
Users should upgrade
fetchmail to version 6.1.0 as soon as possible,
and should consider disabling it until it this has been done.
tar are vulnerable to directory traversal problems that can
be used by an attacker to overwrite arbitrary files. An attacker can
place files that contain "
.." in their path into a .tar file, and files
that start with a "
/" in their path into a .zip file.
5.42 and GNU
tar version 1.13.25 are reported to be vulnerable.
It is recommended that users upgrade to repaired versions of
unzip as soon as possible. Red Hat has released updated packages for
tar. Users can also list the contents of a .zip file using
unzip -l filename and a .tar file using
tar -tf filename prior to
extracting the files.
gv PDF and Postscript viewer can be exploited using a file with a
carefully-crafted file name, causing
gv to execute arbitrary shell
commands with the permissions of the user using
Users should watch their vendor for an update that repairs this
problem and should consider disabling
gv until it has been repaired.
An update is reported to be available for Gentoo Linux.
SMRSH, a restricted shell from the Sendmail Consortium, is reported to
be vulnerable to two attacks that can be used to bypass the shell
restrictions and execute commands on the system. An attacker must
have the ability to modify their
.forward file before being able to
conduct these attacks.
The Sendmail Consortium has released a patch to
SMRSH that protects
against these attacks and recommends that all affected users update
Heimdal is a Kerberos 4 and 5 implementation. Multiple buffer overflows and other security problems have been found in Heimdal that can be exploited to obtain root access and execute arbitrary code.
It is recommended that affected users upgrade to a repaired version as soon as possible. SuSE has released updated packages that repair this problem.
logsurfer is used to watch logfiles in real time and
perform actions based on a set of rules.
logsurfer is vulnerable to a
buffer overflow and a problem with a uninitialized buffer.
logsurfer is only vulnerable to the buffer overflow when the
action is used. The buffer overflow can be used in a denial-of-service attack against
logsurfer, or possibly be exploitable to execute
arbitrary code as the user running
logsurfer. The uninitialized
buffer can cause a line of data in the buffer to be read in as a
Users should upgrade to version 1.5b of
It has been reported that
kghostview are vulnerable to
multiple buffer overflows that can be exploited using a carefully-crafted file. This will cause arbitrary code to be executed with the
permissions of the user viewing the file.
Affected users should watch their vendor for an update.
The WN Web server is vulnerable to a buffer overflow in the code that
GET request. This buffer overflow can be exploited by a
remote attacker to execute arbitrary code with the permissions of the
user running WN. Versions 1.18.2 through 2.0.0 of WN are reported to
It is recommended that users upgrade to WN Server 2.4.4 as soon as possible.
rogue game is fantasy computer game.
dm is a set group id
games utility that is is used to wrap the execution of games. When rogue is
dm, it does not drop the
game group id and can be
manipulated into giving the attacker group
game permissions. A
script to automate the exploitation of this problem has been
Affected users should disable the running of
dm by editing
rogue is modified to drop the group permissions.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.