LinuxDevCenter.com
oreilly.comSafari Books Online.Conferences.

advertisement


Security Alerts Unzipping Problems

by Noel Davis
07/14/2003

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PHP, OpenLDAP, Xpdf, Adobe Acrobat Reader, Mozart, liece, OpenBSD's Packet Filter, unzip, Imagemagick, Ezbounce, semi, and wemi.

PHP

The code that handles transparent session IDs in PHP contains a bug that can be exploited, under some conditions, to embed a script in web pages in a cross-site scripting attack. Exploiting this bug requires that the session.use_trans_sid option be enabled. It has also been reported that under some circumstances, "safe mode" can be bypassed when using the mail() function to send email.

Users should watch for updated PHP packages from their vendors that repair these problems.

OpenLDAP

OpenLDAP is an LDAPv2 and LDAPv3 server. OpenLDAP has several problems that have been reported, including a pair of remotely exploitable denial-of-service vulnerabilities and a problem with "one shot" replication. A failure within a password extended operation can lead to memory being released that was not allocated, causing a denial-of-service condition. The back-ldbm back end is reported to have a memory leak that can also lead to a denial-of-service condition. The slurpd utility's "one shot" replication mode is reported to not be working in OpenLDAP 2.1.16.

It is recommended that users upgrade to OpenLDAP 2.1.21 or newer as soon as possible.

Related Reading

Linux Security Cookbook
By Daniel J. Barrett, Richard E. Silverman, Robert G. Byrnes

Xpdf and Adobe Acrobat Reader

Xpdf and Adobe Acrobat Reader are viewers for PDF (Portable Document Format) files. They are vulnerable to an attack that embeds shell commands within links contained in a carefully crafted PDF file. When the victim selects the link, Xpdf will execute the commands while launching the browser or mail client. Adobe Acrobat 5.06 and Xpdf 1.01 are reported to be vulnerable.

In addition, there is a buffer overflow in Adobe Acrobat Reader that is also exploited by a user selecting a link in a carefully crafted PDF file when the link is more than 256 bytes long. The buffer overflow is reported to affect versions 5.0.7 and earlier.

Users should upgrade to repaired versions as soon as possible and should exercise care when viewing PDF files with a vulnerable viewer.

The Mozart Programming System

The Mozart Programming System is a development environment for distributed applications built on the Oz language. Mozart will configure the system mailcap file so that Oz application files will be interpreted by Mozart. This can cause arbitrary Oz files from untrusted sources to be executed by web browsers, mail clients, file managers, and other applications that use the mailcap file.

Users should watch for an updated version that provides a solution for this problem.

liece

liece, an IRC client for Emacs, is vulnerable to a symbolic-link race condition that can be used by an attacker to overwrite arbitrary files on the system with the permissions of the user running emacs.

Affected users should watch their vendor for a repaired version.

OpenBSD Packet Filter

It has been reported that the packet filter in OpenBSD can leak information that can be used by an attacker to gather information about the network the firewall is on.

Users of OpenBSD's packet filter should watch for an updated packet filter.

unzip

The archiving tool unzip has a bug that can be exploited using a carefully crafted .zip file to overwrite arbitrary files or to plant trojan files on the system, using the permissions of the user unzipping the file. The attacker places unprintable characters between two periods in the .zip file. When the .zip file is unpacked, the unprintable characters are filtered out, leaving the two periods (".."). This bug is reported to affect unzip 5.50 and earlier.

Users should upgrade to a repaired zip package as soon as possible and should refrain from unzipping archives from untrusted sources until unzip has been updated.

Imagemagick

The Imagemagick libraries provide a set of tools and libraries that allow the reading, writing, and modification of images in many file formats. Imagemagick versions before 5.5.7.0 are vulnerable to a temporary file, symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running Imagemagick tools (or applications that are linked to Imagemagick libraries).

Users should upgrade to version 5.5.7.0 of Imagemagick or to a repaired package provided by their vendor.

Also in Security Alerts:

PHP Problems

Ethereal Trouble

KWord Trouble

XFree86 Trouble

MySQL Trouble

Ezbounce

Ezbounce is an IRC (Internet Relay Chat) proxy server with many configuration options. Ezbounce is vulnerable to a remotely exploitable format-string vulnerability in the code that handles the session's command. A program to automate the exploitation of this vulnerability has been released to the public.

Affected users should watch for a repaired version. When possible, users should consider protecting the proxy server using a firewall.

semi and wemi

semi, a MIME library for emacs, is vulnerable to a temporary file, symbolic-link race condition that can be used by an attacker to overwrite arbitrary files on the system with the permissions of the user running emacs. wemi is a MIME library that was forked from the semi code and is also vulnerable.

Affected users should watch their vendors for a repaired version.

Printer Drivers and Utilities

Several printer drivers and utilities have been reported to have vulnerabilities. These include a buffer overflow in escputil and a temporary file, symbolic-link race condition in ml85p.

Users should upgrade as soon as possible and if the printing system is not being used, should consider disabling it.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to the Linux DevCenter.




Linux Online Certification

Linux/Unix System Administration Certificate Series
Linux/Unix System Administration Certificate Series — This course series targets both beginning and intermediate Linux/Unix users who want to acquire advanced system administration skills, and to back those skills up with a Certificate from the University of Illinois Office of Continuing Education.

Enroll today!


Linux Resources
  • Linux Online
  • The Linux FAQ
  • linux.java.net
  • Linux Kernel Archives
  • Kernel Traffic
  • DistroWatch.com


  • Sponsored by: