Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a new release of
Apache, and problems in
anonftp, Kpopup, CUPS,
mod_security, and the Linux Java Installer.
A new version of Apache has been released that fixes two security
mod_cgid module can, when threaded MPM is being used,
send the output of a CGI application to the wrong client. The
mod_rewrite modules contain buffer overflows that may
be exploitable by a local user when a regular expression is configured that contains more than nine captures.
It is recommended that users upgrade to Apache 2.0.48.
ls command distributed with the
coreutils packages can be used in a denial-of-service attack when it is used with certain command-line parameters. It also has a buffer overflow bug in the code that handles its command-line parameters, which is reported to not be exploitable. Both of these problems can be exploited remotely through applications such as
Users should watch their vendor for updated
packages. Updated packages have been released for Red Hat Linux 7.1,
7.2, 7.3, and 8.0, and Conectiva Linux versions 7.0, 8, and 9.
anonftp packages contain a version of the
ls command that has the same problems as the
ls command in the
All users of
anonftp should watch their vendor for an updated version. Updated
anonftp packages have been released for Conectiva Linux versions 7.0, 8, and 9.
Kpopup, an application used to send and receive Microsoft Windows
WinPopup Messages, can be exploited by a local attacker to gain a
root shell. Kpopup is reported to be installed set user id root and
system() function to call the
killall command. By creating
an exploit script named
killall, and by manipulating the path prior
to executing Kpopup, the attacker can cause Kpopup to execute the
exploit script with root permissions. A script to automate the
exploitation of this vulnerability has been released.
Anyone not using the functionality of Kpopup should remove any set user id or set group id permissions from it until it has been patched or upgraded. Users should watch their vendors for a repaired version.
The printing system CUPS has a bug in the IPP (Internet Printing Protocol) code that can be used by a remote attacker to cause a denial-of-service in the printer daemon. The attacker must be able to connect to the IPP port (631 in a default installation) to execute this attack.
Users of CUPS should upgrade to a repaired version or watch their vendors for updated packages. Red Hat has released updated packages for Red Hat Linux 8.0 and 9. If CUPS is not being used on a system, then disabling it or removing it should be considered.
Libnids is a component of a network intrusion detection system that emulates the IP stack of Linux 2.0.x and provides IP defragmentation, TCP stream assembly, and TCP port scan detection. Libnids contains a buffer overflow in the code that handles packet reassembly that, under some conditions, may be exploitable to execute code with root permissions.
It is recommended that all users of Libnids upgrade to version 1.18 or newer as soon as possible. Packages containing Libnids version 1.18 have been released for Conectiva Linux 7.0, 8, and 9.
The PostgreSQL database is vulnerable to a buffer overflow in the code
contained in the
to_ascii() set of function calls that may be used by
a remote attacker to execute arbitrary code with the permissions the
database is running under.
Affected users should upgrade to PostgreSQL version 7.3.4 or a repaired package from their vendors as soon as possible. The OpenPKG project and Conectiva Linux have released repaired packages.
Also in Security Alerts:
A buffer overflow and an information disclosure vulnerability have
been found in
thttpd is a small web server that is designed to be fast and secure. The buffer overflow can be remotely triggered but is not thought to be exploitable. The information disclosure bug is in the code that handles virtual hosting. When exploited, this bug will allow a remote attacker to read any file on the system that the user account that
thttpd is running under can read.
Users should watch their vendor for an updated version that repairs these problems. SuSE has released a repaired package for SuSE Linux 7.3, 8.0, 8.1, 8.2, and 9.0.
mod_security in Apache 2 is reported to be vulnerable to a buffer
overflow in the
sec_filter_out() function that can, under some
conditions, be exploited by a remote attacker to execute code with the
permissions of the user running Apache. The remote attacker must have some method of uploading a script onto the server before this attack
can be successful.
Users should upgrade to version 1.7.2 of
mod_security as soon as
The install program used to install Sun's JRE/JDK under Linux is vulnerable to several symbolic-link race conditions that can be used by a local attacker to overwrite arbitrary files on the system with, in most cases, root permissions. This problem is reported to affect both the binary installer and the RPM-based install.
On multiuser machines, it may be wise to bring the machine to single-user mode and check the contents of the /tmp directory for the files /tmp/.mailcap1, /tmp/.mime.types1, and /tmp/unpack.log before doing the install.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.