Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts MySQL Trouble

by Noel Davis
04/22/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in the Linux kernel, MySQL, CVS, Cadaver, subversion, sitecopy, tla, iproute, Zope, logcheck, kdeprint, emil, and GNU Sharutils.

Linux Kernel Problems

Problems have been found in the Linux kernel code that handles R128 drives, ISO9660 filesystems, and ncp_lookups that can lead to an attacker gaining root permissions. In addition, there is a problem in the code in the ext3 filesystem that can lead to unauthorized access to information, and a problem in the Sound Blaster driver's code that can be used as part of a denial-of-service attack.

These problem are reported to be fixed in the 2.4.26 Linux kernel. Users should upgrade to a repaired kernel as soon as possible. Packages have been released for Trustix Secure Linux 2.0, 2.1, and Secure Enterprise Linux 2; Debian GNU/Linux; Conectiva Linux; and Mandrake Linux. Affected users should contact their vendors for detailed information.

MySQL

The scripts mysqlbug and mysqld_multi that are supplied with the MySQL database are reported to be vulnerable to a temporary-file, symbolic-link race condition that can be used by a local attacker to overwrite files on the system with the permissions of the user executing the script.

The versions of the scripts that are in the MySQL source repository are reported to be fixed. Affected users should consider upgrading their mysqlbug and mysqld_multi scripts. Updated packages have been released for Debian GNU/Linux 3.0 alias woody; Red Hat Linux 9; and OpenPKG CURRENT, 2.0, and 1.3.

Learning Lab TigerLinux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.

CVS

CVS (the Concurrent Versions System) is an open source networked version control system. Two pathname-related vulnerabilities have been discovered in CVS. The first can be used by a malicious server to create arbitrary files on a client machine when the client checks out or updates code from the server by supplying absolute pathnames in its RCS diff files. The second vulnerability can be used by a remote attacker to view files outside the CVS root directory by using "../" in the path name.

Users of CVS should upgrade to a version Stable CVS 1.11.15 or newer as soon as possible and should consider disabling remote CVS operations until CVS has been updated.

Cadaver, subversion, sitecopy, and tla (Neon)

Cadaver is a WebDAV client written for the Unix command line that supports collection creation, uploads, downloads, namespace functions, deletion, and locking operations. sitecopy is a utility used in maintaining remote web sites. subversion is a version control system that aims to replace CVS. Multiple format-string vulnerabilities have been reported in the Neon library that is linked to by Cadaver, subversion, sitecopy, and tla. These vulnerabilities can be exploited if the client connects to a server under control of an attacker, and can result in code being executed on the client with the permissions of the user running the application. It is possible that this attack could also be carried using a man-in-the-middle-style attack. Neon is a C language library that provides HTTP and WebDAV client functions.

It is highly recommended that users upgrade to version 0.22.1 of Cadaver or version 1.0.2 of subversion as soon as possible. Users of sitecopy and tla should watch for updated versions. Users may also upgrade neon to version 0.24.5 or newer and recomplile or relink any affected applications.

iproute

iproute is a set of tools used in controlling Linux networking. It has been reported that the iproute tools are vulnerable to a locally exploitable denial-of-service attack. The vulnerability is related to iproute using the netlink interface but not checking to insure that a netlink message comes from the kernel and not from a user process.

Users should watch their vendors for an repaired version of iproute.

Zope

Zope, an open source web application server, is vulnerable to a bug that can be exploited by unauthorized users and anonymous users to call arbitrary methods (object-oriented function calls) of catalog indexes.

All users of Zope should upgrade to a repaired version as soon as possible.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

logcheck

Under some conditions, the logcheck utility is vulnerable to an attack, based on a temporary-file, symbolic-link race condition, that can be used by a local attacker to overwrite arbitrary files on the system with the permission of the user running logcheck (which is most cases will be root). When logcheck is installed, it creates a directory under /var/tmp for its security files. If this directory is removed, the utility becomes vulnerable to attack.

Affected users should watch their vendors for a repaired version of logcheck and should consider not running it until it has been updated.

kdeprint

The kdeprint supplied with SuSE Linux did not use the -dSAFER option when executing Ghostscript.

Users should upgrade their kdelibs3 packages to fix this problem.

emil

The emil mail filter program is vulnerable to buffer overflows and format-string vulnerabilities that may, under some conditions, be used by a remote attacker to execute arbitrary code with the permissions of the user running emil.

Affected users should watch their vendors for a repaired version of emil.

GNU Sharutils

The GNU Sharutils package allows the creation and unpacking of SHell ARchives, often used to send large binaries files using email. A buffer overflow has been reported in the shar utility in the code that handles the -o command-line option. In most installations, exploiting the buffer overflow will not gain the attacker any additional permissions, as it is not normally installed with a set user or group id bit. But in some cases, it could be exploited for gain; for example, if shar was being executed by a CGI script and the attacker could control the input it receives.

Affected users should watch their vendors for an updated version.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the LinuxDevCenter.com.

Copyright © 2009 O'Reilly Media, Inc.