Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in PHP, Perl, the GNU C Library, OpenBSD, FreeBSD, NetBSD, Oracle9i, RealOne, RealPlayer, CVSup,
- GNU C Library
- FreeBSD and NetBSD
- RealOne and RealPlayer
It has been reported that, under some conditions, PHP can leak the contents of variables from one virtual host to another virtual host on the same machine. According to the report, one of the conditions is that the variable
register_globals = on must be set in the system php.ini file and that some virtual hosts have
register_globals = off in their .htaccess configuration file.
Affected users should watch their vendors for an updated version of PHP. It is also suggested that for systems with virtual hosts
register_globals be set to off in the system php.ini file unless there is a known reason to have it set to on.
The programming language Perl has a helper application named
suidperl that is used to execute set user id Perl scripts safely. Bugs in
suidperl can be exploited by an attacker to obtain information about files and the file system, in excess of the attackers permissions.
Affected users should watch their vendors for a repaired version of Perl.
GNU C Library
The GNU C library
glibc has a bug in the resolver code that can be exploited (by a remote attacker with a DNS packet larger than 1024 bytes) to crash the application linked against
glibc. In most cases, generating a large DNS packet would require that the attacker control a DNS server that is responding to a request. The bug is reported to affect
glibc versions through 2.2.5.
Users should watch their vendors for an updated package.
|Linux/Unix System Administration Certification -- Would you like to polish your system administration skills online and receive credit from the University of Illinois? Learn how to administer Linux/Unix systems and gain real experience with a root access account. The four-course series covers the Unix file system, networking, Unix services, and scripting. It's all at the O'Reilly Learning Lab.|
It has been reported that OpenBSD 3.4 is vulnerable to a IPV6-related, remote denial-of-service attack. The report states that the vulnerability is exploited by setting a low MTU on the OpenBSD machine and then connecting with a IPV6 TCP packet.
This vulnerability has been repaired in OpenBSD-current, and a patch has been made available.
OpenBSD, FreeBSD, and NetBSD
There is a bug reported in the
shmat() function call under OpenBSD, FreeBSD, and NetBSD that may be exploitable by a local attacker to write to kernel memory and gain unauthorized permissions. This bug is reported to affect FreeBSD versions 2.2.0 and earlier, NetBSD versions 1.3 and earlier, and OpenBSD versions 2.6 and earlier. The
shmat() function call is used to map shared memory under the System V Shared Memory interface.
Patches to repair this bug have been released for OpenBSD 3.4-stable and 3.3-stable. FreeBSD users should upgrade to 4-STABLE, or to the RELENG_5_2, RELENG_5_1, RELENG_4_9, or RELENG_4_8, security dated after February 5th, 2004 or apply the available patch and recompile their kernels. NetBSD users should watch for a patch or update.
The Oracle9i database is vulnerable to multiple buffer overflows that can be exploited to execute arbitrary code with the permissions of user account the database is running under (most often, oracle). Buffer overflows have been reported in the code involved with the functions
FROM_TZ, and in the code that deals with the
TIME_ZONE variable. It is reported that these vulnerabilities affect Oracle9i versions 184.108.40.206 and earlier.
Also in Security Alerts:
Users should upgrade to version 220.127.116.11 of Oracle and apply Patch 3.
RealOne and RealPlayer
RealNetworks' RealOne and RealPlayer media players are vulnerable to an attack that uses carefully crafted .RP, .RT, .RAM, .RPM, or .SMIL files to cause a buffer overflow and arbitrary execute code with the permissions of the user running the player. In addition, another flaw in some versions of the player can be exploited to force the player to download files from an arbitrary web site.
It is recommended that users of RealOne and RealPlayer upgrade to repaired versions as soon as possible.
CVSup is a package for distributing and updating collections of files (source, binary, hard links, symbolic links, and even device files) across a network. Several binary CVSup packages are reported to contain possibly untrusted paths in the
RPATH variable in the
cvpasswd executables. This can, under some conditions, lead to arbitrary code being executed with the permissions of the user running CVSup. Packages reported to be affected include cvsup-16.1h-2.i386.rpm by Anthon van der Neut and cvsup-16.1h-43.i586.rpm by SuSE Linux.
Affected users should watch their vendors for a repaired package, or recompile CVSup with either a safe value for
RPATH or statically.
The instant-messaging client
gaim is vulnerable to two buffer overflows that can, under some circumstances, be exploited by a remote attacker to execute arbitrary code with the permissions of the user running
gaim should watch their vendors for an updated package. Updated packages have been released for SuSE Linux.
libtool is a set of scripts used to create shared libraries from object files. The script ltmain.sh is vulnerable to a temporary file symbolic-link race condition that can be exploited by a local attacker to overwrite arbitrary files on the system with the permissions of the user running
It is recommended that all developers and other users of
libtool upgrade to version 1.5.2 or newer as soon as possible.
The mailing list manager
mailman is vulnerable to a cross-site scripting-based attack in the admin interface that can, under some circumstances, be used to steal session cookies and make unauthorized modifications to a mailing list's configuration. This vulnerability is reported to affect versions of
mailman from 2.1 up to (but not including) 2.1.4.
Affected users should upgrade to a repaired package from their vendors or to version 2.1.4 or newer.
Read more Security Alerts columns.
Return to the LinuxDevCenter.com.