Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at buffer overflows in
libmcrypt, HSphere Webshell, HTTP Fetcher Library, LCDproc, and
UnixWare and Open UNIX's
ps; and problems in the Common Unix Printing
System, BitKeeper, FreeBSD's
The Common Unix Printing System (CUPS) is vulnerable to a collection of problems that can be used by a remote or local attacker in a denial-of-service attack to execute arbitrary code and, under some conditions, obtain root access to the system. These vulnerabilities include a file race condition, a bug that can be used to add printers remotely, a buffer overflow in code that handles images, a buffer overflow in the HTTP interface, and additional vulnerabilities.
It is recommended that users upgrade to CUPS version 1.1.18 as soon as possible. SuSE has released updated CUPS packages that repair these problems.
BitKeeper, a source-code management system, is vulnerable to a remote attack that can, under some conditions, be used to execute arbitrary shell commands on the server with the permission of the user running Bitkeeper. In addition, there is a temporary file, symbolic-link race condition that can be used to gain control over Bitkeeper.
Users should watch for an updated version of Bitkeeper and should consider not running it in daemon mode until it has been repaired.
A bug in the
fpathconf() function call under FreeBSD can improperly
increment a file descriptor's reference count. The increased
reference count can be used by a local attacker in a denial-of-service
attack and, under some conditions, can allow the attacker unauthorized
access to privileged files.
It has been reported that a patch has been released for FreeBSD 4.4, 4.5, 4.6, and 4.7 kernels.
libmcrypt is an encryption library used by
mcrypt is a
replacement for the
crypt utility that supports the encryption
algorithm Blowfish, Twofish, DES, TripleDES, 3-WAY, SAFER, LOKI97,
GOST, RC2, RC6, MARS, IDEA, RIJNDAEL, SERPENT, CAST, ARCFOUR, and WAKE.
libmcrypt is vulnerable to several buffer overflows and a memory leak.
Affected users should upgrade to
libmcrypt 2.5.5 as soon as possible.
S-PLUS, a tool for "exploratory data analysis and statistical modeling," is vulnerable to a symbolic-link race condition in its temporary files that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running S-PLUS.
Users should watch for an update that repairs the race condition.
The DHCP daemon
dhcpd may, under some circumstances, be exploitable by a
remote attacker to execute arbitrary shell commands on the system with
the permissions of the user running the daemon. This
vulnerability is due to insufficient input validation by the script
/sbin/dhcpd-<interface>.exe'. This script is not installed by
default in any known distribution.
Affected users should remove or disable the
/sbin/dhcpd-<interface>.exe' script until it has been replaced by a
HSphere Webshell is a Web-based front end for FTP that runs with root permissions so that it can access the shadow file to authenticate users. Webshell is vulnerable to a buffer overflow that can be used by a remote or local attacker to execute arbitrary code with root permissions. The buffer overflow is reported to affect HSphere Webshell 20020224 and may also affect earlier releases. Both a local and a remote automated exploit for this vulnerability have been released.
All users of Webshell should upgrade to version 2.4 or newer as soon as possible and should consider disabling it until it can be upgraded.
The HTTP Fetcher library has several buffer overflows that may, under
some conditions, be exploitable by a remote attacker to execute
arbitrary code. The file download utility
fetch is reported to be
affected by this vulnerability.
Users should disable
fetch and any other application linked against
HTTP Fetcher until it has been repaired and the applications
recompiled or replaced with a safe version.
leafnode, a proxy server for Usenet news, has a bug that can be used
as part of a denial-of-service attack against the system.
It is suggested that users upgrade
leafnode to version 1.9.30 or
LCDproc is used to display realtime system data on a LCD display. LCDproc is vulnerable to several buffer overflows that may be usable in a denial-of-service attack or to execute arbitrary code with the permissions of the user running the software (often root or another privileged account). The buffer overflows are reported to only affect version 0.4 of LCDproc. An automated exploit of this problem has been released.
Affected users can upgrade to version v0.4.3 (which appears to repair the buffer overflows) or downgrade to version 0.3.
The proxy server Middleman is vulnerable to an off-by-one attack that may be exploitable by a remote attacker to execute arbitrary code with, in most cases, root permissions.
Users should watch for a repaired version and should consider running Middleman under an unprivileged user account or configuring it to drop unneeded permissions after starting up.
ps command distributed with UnixWare 7.1.1 and Open UNIX 8.0.0 has
a buffer overflow that can be exploited by a local attacker to execute
code with increased permissions.
SCO recommends that users upgrade their
ps command as soon as
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.