Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at problems in PHP, OpenLDAP, Xpdf, Adobe Acrobat Reader, Mozart,
liece, OpenBSD's Packet Filter,
unzip, Imagemagick, Ezbounce,
The code that handles transparent session IDs in PHP contains a bug that can be exploited, under some conditions, to embed a script in web pages in a cross-site scripting attack. Exploiting this bug requires that the
session.use_trans_sid option be enabled. It has also been reported that under some circumstances, "safe mode" can be bypassed when using the
mail() function to send email.
Users should watch for updated PHP packages from their vendors that repair these problems.
OpenLDAP is an LDAPv2 and LDAPv3 server. OpenLDAP has several problems that have been reported, including a pair of remotely exploitable denial-of-service vulnerabilities and a problem with "one shot" replication. A failure within a password extended operation can lead to memory being released that was not allocated, causing a denial-of-service condition. The
back-ldbm back end is reported to have a memory leak that can also lead to a denial-of-service condition. The
slurpd utility's "one shot" replication mode is reported to not be working
in OpenLDAP 2.1.16.
It is recommended that users upgrade to OpenLDAP 2.1.21 or newer as soon as possible.
Xpdf and Adobe Acrobat Reader are viewers for PDF (Portable Document Format) files. They are vulnerable to an attack that embeds shell commands within links contained in a carefully crafted PDF file. When the victim selects the link, Xpdf will execute the commands while launching the browser or mail client. Adobe Acrobat 5.06 and Xpdf 1.01 are reported to be vulnerable.
In addition, there is a buffer overflow in Adobe Acrobat Reader that is also exploited by a user selecting a link in a carefully crafted PDF file when the link is more than 256 bytes long. The buffer overflow is reported to affect versions 5.0.7 and earlier.
Users should upgrade to repaired versions as soon as possible and should exercise care when viewing PDF files with a vulnerable viewer.
The Mozart Programming System is a development environment for
distributed applications built on the Oz language. Mozart will
configure the system
mailcap file so that Oz application files will be interpreted by Mozart. This can cause arbitrary Oz files from untrusted sources to be executed by web browsers, mail clients, file managers, and other applications that use the mailcap file.
Users should watch for an updated version that provides a solution for this problem.
liece, an IRC client for Emacs, is vulnerable to a symbolic-link race condition that can be used by an attacker to overwrite arbitrary files on the system with the permissions of the user running
Affected users should watch their vendor for a repaired version.
It has been reported that the packet filter in OpenBSD can leak information that can be used by an attacker to gather information about the network the firewall is on.
Users of OpenBSD's packet filter should watch for an updated packet filter.
The archiving tool
unzip has a bug that can be exploited using a carefully crafted .zip file to overwrite arbitrary files or to plant trojan files on the system, using the permissions of the user unzipping the file. The attacker places unprintable characters between two periods in the .zip file. When the .zip file is unpacked, the unprintable characters are filtered out, leaving the two periods ("
.."). This bug is reported to affect
unzip 5.50 and earlier.
Users should upgrade to a repaired
zip package as soon as possible and should refrain from unzipping archives from untrusted sources until
unzip has been updated.
The Imagemagick libraries provide a set of tools and libraries that allow the reading, writing, and modification of images in many file formats. Imagemagick versions before 126.96.36.199 are vulnerable to a temporary file, symbolic-link race condition that can be used by a local attacker to overwrite arbitrary files on the system with the permissions of the user running Imagemagick tools (or applications that are linked to Imagemagick libraries).
Users should upgrade to version 188.8.131.52 of Imagemagick or to a repaired package provided by their vendor.
Also in Security Alerts:
Ezbounce is an IRC (Internet Relay Chat) proxy server with many configuration options. Ezbounce is vulnerable to a remotely exploitable format-string vulnerability in the code that handles the session's command. A program to automate the exploitation of this vulnerability has been released to the public.
Affected users should watch for a repaired version. When possible, users should consider protecting the proxy server using a firewall.
semi, a MIME library for
emacs, is vulnerable to a temporary file, symbolic-link race condition that can be used by an attacker to overwrite arbitrary files on the system with the permissions of the user running
wemi is a MIME library that was forked from the
semi code and is also vulnerable.
Affected users should watch their vendors for a repaired version.
Several printer drivers and utilities have been reported to have
vulnerabilities. These include a buffer overflow in
escputil and a
temporary file, symbolic-link race condition in
Users should upgrade as soon as possible and if the printing system is not being used, should consider disabling it.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.