Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at buffer overflows in
trek; and problems in PHP-Nuke,
The Abuse video game is vulnerable to a buffer overflow that can be
used by a local attacker to execute arbitrary code. If Abuse is
set user id or
set group id, this buffer overflow can be used
to gain additional privileges. In addition, Abuse can be made to
execute arbitrary Lisp script files that can launch other processes or
modify files. According to the author, "Abuse has a number of other
vulnerabilities and should never be installed on a multi-user system
where security is a concern." Debian Linux is reported to install
set user id root.
Users with Abuse installed on their system should consider removing it
from the system or remove any
set user id or
group id bits from Abuse.
log2mail is a utility that watches a log file and emails any lines that
match configured patterns. It is normally run as root and is started
at system startup.
log2mail is vulnerable to a remote attack using a
carefully-crafted log message to overflow a buffer and execute
Affected users should upgrade to a repaired version as soon as possible.
PHP-Nuke is vulnerable to a SQL injection-style attack exploitable by any registered user. This attack can be used to modify the user database table and can be used in a denial-of-service attack or to gain additional permissions by changing arbitrary users' passwords.
Users should upgrade to version 6.0 or newer of PHP-Nuke as soon as possible.
runlpr distributed with the
lprng package is used to
lpr command with root permissions. It can manipulated
into executing arbitrary commands as root, but can only be executed by
html2ps print filter also distributed with the
lprng package has a
vulnerability that can be used by a remote attacker to execute
arbitrary commands with the permissions of the
The combination of these two vulnerabilities can be used by a remote attacker to execute commands with the permissions of the root user.
It is recommend that users upgrade
lprng to a repaired version as soon
as possible. A workaround for this vulnerability is to uninstall the
html2ps print filter and restrict access to the printer to authorized
hosts using the /etc/lpd.perms file.
It has been reported that
pam_ldap is vulnerable to a format-string-based attack that can be used to execute code with additional
permissions. Versions 143 and earlier have been reported to be
Users should watch their vendor for an updated package that that
pam_ldap version 144 or newer. Gentoo Linux has released a
There is a buffer overflow in the Kerberos v4 administration server
kadmind that may be exploitable to gain root permissions. It has
been reported that a script to automate the exploitation of this
vulnerability is available.
Heimdal, a free replacement to Kerberos, is also vulnerable to this
buffer overflow and, in addition, is reported to be vulnerable to a
buffer overflow in the
Affected users should upgrade Kerberos or Heimdal to a repaired version as soon as possible. Users should also consider protecting the administration server using a tool such as a firewall.
uudecode is reported to be vulnerable to a symbolic-link race
condition that can be used, under some conditions, by an attacker to
overwrite files with the permissions of the user executing
This vulnerability is reported to affect the
uudecode that is supplied
as part of the GNU Sharutils package. It is not known if other
uudecode are also affected.
It is recommended that users watch their vendor for an update package
that repairs this vulnerability and that users avoid using
while in a world- or group-writable directory (such as /tmp).
bzip2 has several problems that can lead to files being overwritten or
data being disclosed.
bzip2 does not warn a user if a file will be
overwritten when a file is uncompressed. When
bzip2 uncompresses a
file, it creates the new file with world-readable permissions,
uncompresses the data, and then changes the file's permissions to the
correct state. This creates a race condition in which a local user
may read the data as it is being uncompressed. When
bzip2 is used to
compress a file using a symbolic link to that file, the symbolic link's
permissions are used instead of those of the original file, possibly resulting
in the wrong permissions being used on the created archive.
When uncompressing a file with
bzip2, care should be taken that other
files are not replaced, and file permissions of new archives should be
ypserv, distributed with Network Information Services packages, has a
memory leak bug that can expose data when a user requests an invalid
Users should watch their vendor for an update to
packages have been released for Gentoo Linux.
trek is vulnerable to a buffer overflow if a user enters more
than 100 characters. Under some conditions, this buffer overflow could
be used to gain the permissions of the game user id.
trek is not in use, users should consider removing it from the
system; otherwise, they should watch their vendor for an update.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.