Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

New Apache

by Noel Davis
09/20/2004

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in Apache 2.x, GNU Radius, libXpm, CUPS, gdk-pixbug, cdrtools, SUS, and Webmin.

Apache 2.0.51

Version 2.0.51 of the Apache web server has been released. This new version of Apache fixes the following security-related bugs: a minor denial-of-service vulnerability in the code that handles IPv6 URI parsing can result in a single child instance of the web server crashing; a buffer overflow in the code that parses configuration files that may be exploitable by a local attacker using a .htaccess file to trigger the overflow and execute code with the permissions of the web server; a denial-of-service vulnerability when proxying to a remote SSL server, where the remote SSL server can, under some conditions, crash a child instance of the web server; and a bug in WebDAV authoring that can be exploited using LOCK requests to crash a child instance of the web server. In all of the listed denial-of-service attacks, other instances of Apache will continue to handle web page requests. It is recommended that all users of the version 2.x series of the Apache web server upgrade to version 2.0.51.

GNU Radius

The GNU version of the remote user authentication and accounting daemon Radius is vulnerable to a buffer overflow that is reported to be exploitable in a denial-of-service attack that crashes the Radius daemon and denies service to users attempting to authenticate. The buffer overflow is in code located in the asn_decode_string() function and is reported to only be vulnerable when Radius is compiled with the --enable-snmp option. Versions 1.1 and 1.2 of GNU Radius are reported to be vulnerable. Users affected this vulnerability should upgrade to version 1.2.94 of GNU Radius or recompile Radius without the --enable-snmp option.

libXpm

The libXpm library contains multiple buffer overflows that may, under some conditions, lead to arbitrary code being executed with the permissions of a victim who uses an application linked against the libXpm library to view a carefully crafted XPM file. Users should watch their vendors for updated packages that repair the buffer overflows and replace any affected applications.

CUPS

CUPS, the Common Unix Printing System, is vulnerable to a denial-of-service attack that, when executed by a remote attacker, will disable browsing and prevent the CUPS server from seeing remote printer changes. This attack is conducted by sending an empty UDP packet to port 631 on the victim's machine. In addition, a bug in the foomatic-rip filter (which allows the use of a printer and driver database) can, under some conditions, be exploitable by a remote attacker to execute arbitrary code. The denial-of-service vulnerability has been repaired in CUPS version 1.1.21rc2 and in CUPS CVS repository. Users of the foomatic-rip filter package should watch their vendors for updated packages or upgrade to foomatic 3.0.2.

gdk-pixbug

gdk-pixbug is reported to contain several buffer overflow bugs that may be exploitable under some conditions to execute arbitrary code with the permissions of the user, or used as part of a denial-of-service-type attack. These buffer overflows are in the code that loads BMP, ICO, and XPM files. Users should watch their vendors for a repaired version of gdk-pixbug.

cdrtools

Some versions of the cdrecord utility supplied with the cdrtools are vulnerable to an attack if the package is installed set user id root. cdrecord does not drop any root permissions before executing the command pointed to by the $RSH environmental variable. A script to automate the exploitation of this problem has been released to the public. Some vendors have patched cdrecord to prevent this problem. Affected users should upgrade cdrtools to a repaired version and remove the set user id bit from cdrecord or restrict who can execute it using a group.

SUS

SUS, a utility that allows specified users to execute certain commands with root permissions, is reported to be vulnerable to a format-string-related bug that may, under some conditions, be exploitable by a local attacker to execute any and all commands with root permissions. SUS is also vulnerable to a format-string-bug-based vulnerability that may be exploitable by a local attacker to execute arbitrary code with root permissions. Users of tools such as SUS or Sudo should keep in mind that this is an expected vulnerability of utilities that allow users to perform a limited number of commands with root permissions, and if they still must use the tool, they should watch carefully for vulnerabilities in it. The format-string bug is reported to be repaired in SUS version 2.0.6. For the present time, users of SUS should install the latest available release.

Webmin

Webmin is a web-based toolkit for Unix systems that can administer user accounts, controlling Apache, DNS, file sharing, and more. It is reported that, under some conditions, Webmin may be vulnerable to a symbolic-link race condition due to an insecure temporary directory. This can result in arbitrary files being written with the permissions of the web server. There is also a vulnerability in the web mail functionality of Webmin that may be exploitable by a remote attacker to execute arbitrary shell commands as the user running the web server. Affected users should upgrade to version 1.090 or newer of Webmin and should consider disabling Webmin until it can be upgraded.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.


Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.