Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Temporary-File Race Conditions

by Noel Davis
10/06/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a collection of temporary-file race conditions, and problems in Samba, GNU sharutils, JRun, Subversion, imlib, IBM AIX ctstrtcasd, YahooPOPs, and OpenOffice.org.

Temporary-File Race Conditions

Trustix Security has identified the following packages as containing scripts that are vulnerable to an attack based on a temporary-file, symbolic-link race condition: openssl, Perl, postgresql, gettext, ghostscript, glibc, groff, gzip, kerberos5, lvm, mysql, and netatalk. A temporary-file, symbolic-link race condition may, under some circumstances, be exploitable by an attacker to overwrite arbitrary files with the permissions of the user account executing the vulnerable script.

In addition, a temporary-file, symbolic-link race condition has been found in the NetPBM and getmail packages.

Affected users should watch their vendors for a repaired version of the vulnerable package and should consider with care what scripts they execute on a multiuser system.

Samba

Some versions of Samba are reported to contain a vulnerability that may be exploitable by a remote attacker, who is authorized to access a shared file system, to access files located outside of the authorized directory tree that has been shared using Samba. Exploiting this vulnerability does not grant the attacker additional permissions; it only will allow viewing files outside of the shared path. This vulnerability is reported to affect versions of Samba including 2.2.11 and earlier and 3.0.5 and earlier. The vulnerability is caused by a bug in the code that converts DOS-based path names to Unix path names on the Samba host.

The Samba development team has released version 2.2.12 of Samba to repair this problem and has released a patch for Samba 3.0.5 and earlier. A possible workaround is to set wide links = no in the smb.conf configuration file.

GNU sharutils

The GNU shell archives package sharutils is reported to contain buffer overflows in the shar.c and unshar.c utilities. These buffer overflows may, under some conditions, be exploited by an attacker to execute arbitrary code with the permissions of the user running a script that executes a vulnerable command.

Users should watch their vendors for a repaired version of sharutils and should avoid executing untrusted scripts until these buffer overflows have been repaired. Updated packages for Debian GNU/Linux and Gentoo Linux have been released.

JRun server

Macromedia's JRun server, an application server compatible with Java 2 Enterprise Edition (J2EE), is vulnerable to a buffer overflow that can be exploited, under some conditions, by a remote attacker to execute arbitrary code with the permission of the user account the web server is running under. JRun is only vulnerable when verbose logging has been turned on in the web server's configuration file. JRun is reported to be vulnerable when running under the following web servers: Microsoft IIS (all versions), Netscape, IPlanet, SunOne (all versions), and Apache (all versions).

All users of JRun should apply the Cumulative Security Patch available from Macromedia as soon as possible. As a workaround, users can disable verbose reporting in their web servers' configuration files and restart their web servers.

Subversion

The Subversion source code versioning system was created as a replacement for the popular CVS system. A bug in Subversion's mod_authz_svn Apache module can be abused by a remote attacker to gather information about protected areas in the archive. mod_authz_svn is an Apache module that provides path-based authentication for Subversion repositories.

It is recommended that users upgrade to version 1.0.8 or 1.1.0-rc4 as soon as possible. This problem may be worked around by using Apache's access controls to prevent unauthorized access to specific directories.

imlib

imlib, an image-loading and -rendering library, contains buffer overflows in the code that handles runlength-encoded bitmaps. Both imlib and imlib2 are vulnerable to an attack that uses a carefully crafted BMP file to exploit the buffer overflows and execute arbitrary code with the permissions of the user executing the application linked with imlib.

Users should watch their vendors for a repaired imlib package. Conectiva Linux has released upgraded packages that repair these buffer overflows.

IBM AIX ctstrtcasd

ctstrtcasd is a setuid root application that is installed by default on recent versions of IBM's AIX and is installed with the Reliable Scalable Cluster Technology (RSCT) system, IBM Tivoli System Automation, IBM Cluster Systems Management, IBM Hardware Management Console, and IBM General Parallel File System. ctstrtcasd fails to verify the sanity of its trace file and will write, with root permissions, 65,535 bytes of trace data to any arbitrary file on the system.

It is recommended that users consider removing the set user id bit from ctstrtcasd until it has been replaced with a repaired version.

YahooPOPs

YahooPOPs, an application running on Windows, Linux, Solaris, and Mac servers and provides simulated POP3 and SMTP access to Yahoo Mail, is reported to be vulnerable to multiple buffer overflows. The buffer overflows may be exploitable by a remote attacker and result in a denial of service or arbitrary code execution. A application to automate the exploitation of this vulnerability has been released to the public.

Users should consider disabling YahooPOPs until a repaired version has been released, or carefully restricting access to the application using a firewall.

OpenOffice.org

OpenOffice.org uses the user's umask to create temporary files. This can lead, under some circumstances, to users obtaining and reading documents that belong to other users.

An affected user should set his or her umask to an appropriate value prior to starting OpenOffice.org and should upgrade to a repaired version. Mandrake has released updated OpenOffice.org packages for Mandrake Linux 10.0.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.