Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at problems in Sendmail
gtkhtml, and Solstice AdminSuite.
There is a remotely exploitable buffer overflow in versions of
Sendmail through version 8.12.9. The buffer overflow is located in
prescan() function and can be exploited by a remote attacker to
execute arbitrary code on the server with (in most cases) root
permissions. There is also an additional buffer overflow in the code
that handles rule set parsing that may be exploitable under some
All users of Sendmail should upgrade to Sendmail 8.12.10 or a repaired package from their vendors as soon as possible. Repaired packaged have been announced for Red Hat Linux 7.1, 7.2, 7,3, 8.0, and 9; FreeBSD; Immunix 7+; Debian GNU/Linux 3.0 (both the stable and unstable branches have packages); Mandrake Linux 8.2, 9.0, 9.1, and the Mandrake Corporate Server 2.1; OpenPKG CURRENT, 1.2, and 1.3; SuSE Linux 7.2, 7.3, 8.0, 8.1, and 8.2; Conectiva Linux 7.0, 8, and 9; and Gentoo Linux. Users of other distributions or versions should contact their vendors for more information.
A problem in the dynamic reallocation and allocation of memory in
OpenSSH can cause a buffer overflow that can crash
sshd and may, under
some conditions, possibly be exploitable to run arbitrary code with
root permissions. In addition, there are several other buffer overflows
that are not thought to be exploitable. All of these buffer overflows
are reported to affect OpenSSH versions through 3.7. In addition to
the Unix operating systems affected by these problems, Cisco has
announced that the following network software packages are vulnerable: Cisco
Catalyst Switching Software (CatOS), CiscoWorks 1105 Hosting Solution
Engine (HSE), CiscoWorks 1105 Wireless LAN Solution Engine (WLSE), and
Cisco SN 5428 Storage Router.
Users should upgrade to version 3.7.1 of OpenSSH as soon as possible. Updated packages which repair this problem have been released for Conectiva Linux 7.0, 8, and 9; EnGarde Secure Linux EnGarde Secure Community v1.0.1 and 2, EnGarde Secure Professional v1.1, v1.2, and v1.5; FreeBSD, Red Hat Linux 7.1, 7.2, 7.3, 8.0, and 9; OpenPKG; Mandrake Linux 8.2, 9.0, 9.1, Corporate Server 2.1, and Multi Network Firewall 8.2; Slackware 8.1, 9.0, and current; Sorcerer Linux; and Debian Linux (stable version).
The MySQL database has a buffer overflow in the code that handles
password checks (the
get_salt_from_password() function). A user with
global administrative permissions can exploit the buffer overflow to
execute arbitrary code on the server with the permissions of the user
running the daemon (often root). It is reported that the buffer
overflow affects MySQL servers through version 4.0.14. A program to
automate the exploitation of this vulnerability has been released to
It is recommended that users upgrade to MySQL 4.0.15 as soon as
possible and that they configure MySQL to run as a normal user using
--user=<dedicated user> command-line parameter.
The Pine email client available from the University of Washington is vulnerable to two buffer overflows that can be exploited by a remote attacker using a carefully constructed email. When the user opens the attacker's email, the buffer overflow will occur and arbitrary code will be executed with the permissions of the user.
It is recommended that all users upgrade to Pine 4.58 as soon as possible and that users consider not using Pine until it has been repaired.
The SANE network daemon (Scanner Access Now Easy) is reported to have
the following problems: users can make an initial connection to the
daemon even if their host is not allowed to use the scanner; a buffer
overflow can occur when a connection is dropped, under some conditions;
when the connection is dropped just before
mallocs memory to
hold a string, a denial-of-service condition on the server can occur;
saned does not validate RPC numbers before reading the parameters;
when debug messages are turned on and a connection is dropped,
can crash; and under some conditions,
saned may allocate too much
Users should watch for a repaired version. A workaround for
allocating too much memory is to use
ulimit to restrict the amount of
memory it can allocate. Debian has released an updated package that
repairs these problems.
Also in Security Alerts:
gtkhtml library is used by Gnome applications, such as Evolution, to
render HTML. The
gtkhtml library contains two bugs that a remote
attacker, using a carefully crafted web page, can exploit to crash
applications that are linked to the library.
Users should upgrade to version 1.1.10 of the
Flaws in the Solstice AdminSuite can be exploited by a remote attacker
to execute arbitrary commands as root. The attacker can send a series of
Remote Procedure Call (RPC) requests to the
sadmind daemon that will
allow the attacker to authenticate to the server as an authorized user
of Solstice AdminSuite. The attacker can then spawn a root shell or
issue other commands.
Users that do not require the Solstice AdminSuite should comment out
sadmind from /etc/inetd.conf and then restart the
inetd daemon. Users
that require Solstice AdminSuite should protect it from unauthorized
connections using a firewall and configure it to use
security by changing the line in /etc/inetd.conf to read:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
It has been reported that Sun is not planning a patch for this issue.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.