Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at buffer overflows in
PostgreSQL, and UnixWare and Open UNIX's
ndcfg; and problems in PHP,
scponly, the kernel supplied with Red Hat Linux 7.3, Bugzilla, EPIC Script Light, UnixWare DNS Resolver, Mantis, an exploit for the Cisco IOS TFTP Server bug, and Red Hat's
A vulnerability has been reported in the
mail() command under safe
mode in PHP that can be exploited to execute arbitrary code with the
permissions of the user ID running the PHP code. Versions 4.0.5
through 4.1.0 of PHP are reported to be vulnerable.
It is recommended that affected users upgrade to version 4.1.0 or newer of PHP as soon as possible.
Multiple buffer overflow vulnerabilities have been reported in the
PostgreSQL database server. The buffer overflows are in the code for
repeat() functions; datetime input; and
TZ environmental variables. These buffer overflows require
that a user be able to log in to the database server before they can
exploit the vulnerability.
The PostgreSQL Global Development Team has released version 7.2.2, which repairs these buffer overflows.
scponly, a custom shell designed to allow only
connections by an account, has a flaw that, under some circumstances,
can be used by an attacker to bypass the account restrictions and
execute arbitrary commands on the server. If a user has access to
$HOME/.ssh/environment directory, they can modify their
environment and cause a custom script to be executed.
A suggested workaround for this problem is to remove the user's write
permission from the user's home and
$HOME/.ssh/ directories and provide
them with an alternative directory that they can use to upload files.
Red Hat has released an updated kernel package for Red Hat Linux 7.3
that repairs: a problem in the code dealing with with the Intel
i810/i815 chipset; a race condition in the file system dcache; several
kernel memory exposures in the
/proc file system; and security problems
in the kernel drivers
apm. Red Hat stated that they are not aware of any current exploits for these
Users of Red Hat Linux 7.3 should upgrade to the latest kernel package.
The Bugzilla bug-tracking system has several security problems, which
include: an attacker can bypass some security restrictions with a
direct call to
queryhelp.cgi, an attacker can bypass IP restrictions
by spoofing a reverse DNS host name, Bugzilla creates new directories and new params files with world-writable permissions, authenticated users with edit permissions can delete other
users by directly calling
editusers.cgi, a cross-site scripting problem with the
realname field, potential password data leaking during an error, and an SQL injection attack against
It is recommended that all installations of Bugzilla be upgraded to an errata package containing version 2.14.3 or newer as soon as possible.
EPIC Script Light is a script written for the Epic4 IRC client. It contains a remotely-exploitable bug that can be used to execute arbitrary code with the permissions of the user running Epic4.
Users of EPIC Script Light should upgrade as soon as possible.
Caldera has released updated DNS resolver libraries for UnixWare 7.1.1 that repair a vulnerability that can be used in a denial-of-service attack or may, under some circumstances, lead to the execution of arbitrary code.
Caldera recommends that users of UnixWare 7.1.1 install the latest packages as soon as possible.
Mantis, an open source, Web-based bug tracking system written with PHP and using the MySQL database server, has a bug that can result in the "view bugs" page to show a user both public and private projects, if no projects are available to the user.
Users should upgrade to Mantis version 0.17.5 or newer.
The UnixWare and Open UNIX command
ndcfg is vulnerable to a buffer
overflow that a local attacker can exploit to execute arbitrary code
with increased permissions. This buffer overflow is reported to
affect UnixWare 7.1.1 and Open UNIX 8.0.0.
ndcfg raises its
privileges with the security subsystem and not by being set user id or
set group id.
It is recommended that users upgrade to the latest binaries available from Caldera.
A program to automate the exploitation of a buffer overflow in the Cisco IOS TFTP Server has been released. The program is designed to work on Cisco 1600 and 1000 series devices and is reported to give full access to the device when the exploit is successful. Cisco's advisory on this problem says that the impact is limited to a denial-of-service attack.
The Cisco advisory states: "As the affected versions are not scheduled to be fixed, and a simple workaround is available, a software upgrade is not required to address this vulnerability." Users should contact Cisco for information on possible work arounds.
expect under Red Hat Linux 7.0 and 7.1 have been reported
to have a bug that, under some circumstances, can be exploited by a
local attacker to execute arbitrary code.
expect looks for its
libraries first in
tcl/tk looks first in the current working directory.
Red Hat has released updated packages to fix this problem.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.