Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at a problem with Perl's
safe mode; some serious vulnerabilities in MySQL; buffer overflows in
tcpdump, Canna, and GTetrinet; and problems in
lynx, mICQ, Sun
Cobalt RaQ 4 Server Appliances,
dvips, and Exim.
The safe extension module
safe.pm that is distributed with all
versions of the Perl programming language has a security flaw that is
exploitable when a Safe compartment is used multiple times.
Affected users should contact their vendor for updated packages.
MySQL has several vulnerabilities that can be used to execute arbitrary code or used in a denial-of-service attack against the database server. These vulnerabilities include:
A buffer overflow in the code that handles
COM_TABLE_DUMP can be used
in a denial-of-service attack. The buffer overflow is reported to
affect Linux, FreeBSD, and MS Windows systems.
There is a flaw in the password authentication system in MySQL that makes it possible for an attacker to authenticate as another user in no more than 32 attempts. The attacker must have a valid account and can only attack accounts that have permission to log in from the host they are on. A local user or a remote user in an environment that allows remote root logins can gain full access to all databases. There is also a buffer overflow in the password authentication system.
The MySQL client is vulnerable to a buffer overflow when it reads rows from the database. This vulnerability can be used in a denial-of-service attack against the client and may, under some circumstances, be exploitable to execute code on the client machine.
It is recommended that users upgrade to MySQL 3.23.54 as soon as
possible. Any software that is linked against
libmysql should also be
upgraded or recompiled.
Several problems have been reported in
wget, a file retrieval utility
that uses FTP or HTTP to fetch files across a network. These
problems include a buffer overflow in the code that handles the URL of
the file to be retrieved, and a problem with the processing of FTP
server responses that can result, under some conditions, in arbitrary
local files being overwritten.
Users should watch their vendor for an updated package that repairs this problem.
The text-based Web browser
lynx does not properly filter all illegal characters. This can be used by an attacker to insert extra HTTP headers into a request.
Affected users should watch their vendor for an updated version.
The text-based ICQ client mICQ is vulnerable to a denial-of-service
attack. This attack is conducted by sending the client ICQ messages
that do not contain the required separator
Users of mICQ should watch for a repaired version.
The Sun Cobalt RaQ 4 server appliances package, with the Security Hardening package (RaQ4-SHP Release 1.x.x) installed, has a vulnerability that can be exploited by a remote attacker to execute arbitrary code with root permissions. The vulnerability is in a CGI application installed on the server. It is reported that a script to automate exploitation of this vulnerability is available.
It is recommended that users apply the update available from Sun as soon as possible.
kpathsea library, which is used by
an insecure manner. This may be exploitable using a carefully-crafted
DVI file to execute arbitrary commands with the permissions of the user
dvips (often the printer user account
Users should watch their vendor for an updated version of the
library and should recompile any applications that were statically
linked to the vulnerable version.
tcpdump is vulnerable to a remotely exploitable buffer overflow in the
code that handles BGP decoding. This buffer overflow can be used to
tcpdump and may under some conditions be exploited to execute
code with the permissions of the user running
Users should contact their vendors for a repaired version of
and should consider disabling it until it has been repaired.
GTetrinet, a multi-player game, is vulnerable to several buffer overflows that can be exploited by a GTetrinet server.
Affected users should upgrade to GTetrinet 0.4.4 as soon as possible. If GTetrinet is not being used, users should consider removing it from the system.
The Exim message transfer agent has a vulnerability that can be exploited by a local attacker who has access to the admin user of Exim to gain root permissions. The admin user of Exim is set when the software is compiled. A program to automate the exploitation of this vulnerability has been released.
Concerned users should upgrade Exim to a repaired version.
Canna, a server used to enable Japanese-language input, has a buffer
overflow that can be exploited to execute code with the permissions of the user running
bin). The buffer overflow is present in
all version of Canna through version 3.5b2. An additional
vulnerability can be exploited in a remote denial-of-service attack
and affects versions of Canna through 3.6.
Users should watch their vendor for updated packages which repair these problems.
OpenLDAP2 is an open source version of Lightweight Directory Access Protocol (LDAP) tools and servers. Buffer overflows have been found in OpenLDAP2 that can be remotely exploited to execute arbitrary commands on the server. Also, other locally-exploitable problems have been found.
Users should watch their vendor for an update to OpenLDAP2 and apply it as soon as it is available.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.