Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a new release of
Apache; buffer overflows in VNC, Icecast, Progress, and Solaris' Xsun;
and problems in LogWatch,
popper_mod, EMU Webmail,
and OpenLinux's KDE.
The Apache Software Foundation and The Apache Server Project have released version 1.3.24 of Apache. This new version fixes many bugs, including a bug in the Win32 version of Apache that can be exploited by a remote attacker to execute arbitrary commands, and a bug that could cause invalid client host names to be written to the log file.
Users should consider upgrading Apache to this new version.
VNC (Virtual Network Computing) is a remote desktop control
application that allows the control of remote systems and the viewing
of the remote system's desktop. Many versions of the VNC client are
vulnerable to a
zlib-related exploit that can, under some circumstances,
allow arbitrary code to be executed with the permissions of the user
running the client. To exploit this vulnerability, the attacker must
control the VNC server to which the client is attempting to connect.
Versions reported to be vulnerable include TightVNC (earlier than
1.2.3), TridiaVNC (earlier than 1.5.6), TridiaVNC Pro (earlier than
1.2.00), TridiaVNC for Unix (all versions through version 1.4.00),
VNCThing for the Mac (earlier than 2.3), VNC for the Apple Newton, and
the JRE VNC viewer.
Affected users should upgrade to a repaired version of VNC and the
system libraries as soon as possible. It is also recommended that VNC
should be run with the permissions of a normal user, the VNC viewer's
listen mode should be avoided, and connections should only be made to
Icecast, an open source audio streaming server, is remotely vulnerable to a buffer overflow that can be exploited to execute arbitrary code on the server with the permissions of the user running Icecast (often root). An automated exploit script has been released.
Users should watch for a patch or release that fixes this vulnerability. They should also consider disabling Icecast until it has been repaired. It is also recommended that Icecast run as a normal user with the fewest permissions possible.
The LogWatch logfile-analysis tool is vulnerable to a new temporary-file symbolic link race condition that can be exploited to gain root access to the system. This is not the same race condition that was fixed by an upgrade to LogWatch version 2.5.
Users should upgrade to LogWatch version 2.6 or newer as soon as possible, and should consider disabling LogWatch until it has been repaired.
A talk-chat-system-based identity spoofing tool named
talksp00f has been
released. It exploits a design flaw in the
talkd chat daemon to
impersonate an arbitrary user. As an example, this flaw can be used in
a social-engineering attack by impersonating the root user.
Users should exercise caution when they receive a
talk connection from
another user, and verify that the user is logged into the system and is
the user that is executing the
talk session. The system administrator,
as a general rule, will never need a user's password or their credit
card number, and such requests should be viewed with skepticism.
The Progress database is vulnerable to a buffer overflow (in the set user
id root executable
sqlcpp) that can be exploited by a local attacker to
execute arbitrary code as root. It has been reported that this
executable was added as part of the patch
Users should watch for a patch to repair this problem and should
remove the set user id bit from
sqlcpp if it is not needed.
The Solaris X Window server Xsun is vulnerable to a buffer overflow in
the command line parameter
-co. This can be exploited by a local
attacker to execute arbitrary code with root group permissions on a
Sparc, and root user permissions on a X86-based machine.
Users should consider removing set user id or set group id bits from Xsun and should watch Sun for a patch to repair this vulnerability.
popper_mod, a Web-based POP email client, can, under some conditions,
expose the administrative interface and allow an unauthorized user to
read user accounts and passwords, delete accounts, and change account
It is recommended that users upgrade to version 1.2.2 or newer of
popper_mod or use
htaccess authentication to protect the
The EMU Webmail messaging gateway does not properly check all user input and can be used by a remote attacker to view arbitrary directories and files on the server.
Users should watch for an updated version of EWU Webmail.
wwwisis is a CGI script that is used to query bibliographical and
other databases. It has vulnerability that, under some circumstances,
may be exploitable by a remote attacker to execute arbitrary commands
on the server with the permissions of the user executing the Web
It is recommended that users upgrade to
wwwisis version 5.0, as the 3.x
series is no longer being maintained.
Under OpenLinux 3.1.1, the
startkde script will set the
to a value that includes the current working directory. This can
potentially be exploited by a local attacker by creating a customized
shared library that will under some conditions be used instead of the
Caldera recommends that users upgrade to the latest packages for their system.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.