Linux DevCenter    
 Published on Linux DevCenter (http://www.linuxdevcenter.com/)
 See this if you're having trouble printing code examples


Security Alerts

Ethereal Trouble

by Noel Davis
11/04/2005

Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in sudo, Ethereal, Apache mod_auth_shadow, fetchmailconf, lynx, Mantis, pnmtopng, gnump3d, Squid, unzip, uim, Curl, and imlib.

sudo

sudo, a powerful tool that permits a user to execute commands as the superuser or as another user, does not properly reset the SHELLOPTS and PS4 environmental variables. This flaw can be exploited by a local attacker under some conditions to gain unauthorized permissions. This flaw is reported to affect sudo versions 1.3.1 through 1.6.8.

It is recommended that users upgrade to version 1.6.8p11 of sudo as soon as possible.

It is incredibly difficult to create a utility that allows a user to perform a limited number of commands with root permissions without causing security problems. All users should decide if they need to continue to use sudo after carefully considering its risks and benefits. If sudo is used, a careful watch for vulnerabilities should be kept.

Ethereal

The open source network sniffer Ethereal is vulnerable to multiple buffer overflows that may be exploitable by a remote attacker by sending carefully crafted packets, which are then processed by Ethereal either by reading the packet directly from the network or from a packet trace file. These buffer overflows were found in the SLIMP3, AgentX, and SRVLOC protocol dissectors.

Ethereal is also vulnerable to multiple denial-of-service vulnerabilities due to problems in the ISAKMP, FC-FCS, RSVP, ISIS LSP, BER, IrDA, SCSI, sFlow, RTnet, SigComp UDVM, X11, SMB, ONC RPC, and WSP dissectors.

All users are encouraged to upgrade to version 0.10.13 as soon as possible.

Apache mod_auth_shadow

The mod_auth_shadow module for the Apache web server will cause Apache to use shadow authenticating in every directory that uses the "require group" directive. Under some circumstances, this could be abused by a remote attacker to bypass security restrictions placed on the directory. This problem only affects systems with "AuthShadow on" configured in Apache.

Affected users should upgrade to version 1.5 or 2.1 of mod_auth_shadow as soon as possible. Patched versions have been released for Mandriva Linux versions 10.1, 10.2, and 2006.0 and Debian GNU/Linux 3.0 (woody) and 3.1 (sarge).

fetchmailconf

The fetchmailconf configuration utility, written using Python and Tkinter, is vulnerable to a race condition that could potentially expose a user's password to other users on the system.

The race condition can be repaired by upgrading to version 1.43.2 of fetchmailconf or by upgrading fetchmail to version 6.2.9-rc.

lynx

lynx, a text-mode web browser, is reported to contain a buffer overflow in the function HTrjis(). The function can overflow if Asian characters are received during a connection to an NNTP server. The buffer overflow was reported to affect lynx versions 2.8.2 through 2.8.5.

Affected users should watch their vendors for a repaired version of lynx. Debian has released repaired packages.

Mantis

The bug tracking system Mantis contains multiple vulnerabilities that may be exploitable by a remote attacker executing arbitrary code with the permissions of the user account running the web server or running arbitrary SQL commands. There is also a cross-site scripting vulnerability in Mantis.

All users should upgrade to version 1.0.0rc2 or newer as soon as possible and should consider disabling Mantis if it cannot be immediately upgraded.

Netpbm pnmtopng

The pnmtopng utility distributed with Netpbm is vulnerable to a buffer overflow when using the -trans command-line option. It may be exploitable by a remote attacker if they can trick the victim into opening a carefully constructed PNM file. Netpbm is a set of graphics conversion tools.

Debian and Mandriva have released patched versions of Netpbm. Users of other distributions should watch their vendors for a repaired version.

gnump3d

gnump3d is a streaming audio server that supports OGG and MP3 files. A bug in gnump3d may be exploitable by a remote attacker to read arbitrary files on the server. In addition, under some conditions, there may be a cross-site scripting type vulnerability in gnump3d.

All users of gnump3d should upgrade to version 2.9.7 or newer.

Squid

The open source web proxy cache server Squid is vulnerable to a denial-of-service attack that uses a flaw in the code in the rfc1738_do_escape() function.

Patches have been released to repair this vulnerability.

unzip

Also in Security Alerts:

PHP Problems

KWord Trouble

XFree86 Trouble

MySQL Trouble

Problems in PCRE, the Linux Kernel, and SILC

The unzip utility will extract set user id and set group id files from a .zip archive without removing the bits or warning the user. Under some circumstances, this could be exploited by a local attacker to gain the victim's permissions.

It is recommended that unzip be upgraded to version 5.52 or newer.

uim

uim, a multilingual input method library, is vulnerable to an attack that uses environmental variables and may result if a set user id or set group id application is linked to uim in a local attack executing arbitrary code with the victim's permissions. Immodule-enabled Qt is reported to be vulnerable.

Users should watch their vendors for a set of repaired packages.

Curl

The command line tool Curl is used to transfer files using multiple internet protocols, including HTTP, FTP, HTTPS, FTPS, GOPHER, DICT, and LDAP. It also supports many methods of authenticating to remote servers, including Windows-based servers. When Curl is used with NT LAN Manager (NTLM) authentication to authenticate, it is vulnerable to a buffer overflow located in the code that handles the Windows user name.

All users of Curl or libcurl should upgrade to version 7.15.0 or newer as soon as possible.

imlib

imlib, an image loading and rendering library for X11, is reported to have a buffer overflow that may be exploited to execute code on the victim's machine.

All users should watch their vendors for an updated imlib package.

Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.

Security and Usability

Related Reading

Security and Usability
Designing Secure Systems that People Can Use
By Lorrie Faith Cranor, Simson Garfinkel

Read more Security Alerts columns.

Return to LinuxDevCenter.com

Copyright © 2009 O'Reilly Media, Inc.