Welcome to Security Alerts, an overview of recent Unix and open source security
advisories. In this column, we look at problems in Perl, PostgreSQL,
cpio, UW IMAP, ChBg, FireHOL, Clam AntiVirus, and
Perl, a popular scripting and data parsing language, is vulnerable to two attacks that may be exploitable by an attacker to overwrite files with root permissions, or to execute arbitrary code with root permissions. Perl's set user id wrapper is supplied with Perl to allow the safe execution of set user id root scripts. An attacker can set the environmental variable
PERLIO_DEBUG to an arbitrary file that will be overwritten with Perl debugging messages when the set user id root Perl script is executed. Also, running the set user id root script while
PERLIO_DEBUG is set to a very long value can cause a buffer overflow and result in arbitrary code being executed.
Affected users should watch their vendors for an updated version of Perl and should consider disabling set user id scripts until Perl has been updated.
The PostgreSQL database server is vulnerable to a local attack that can be exploited to execute arbitrary code with the permissions of the database server. Any authorized user of PostGreSQL can use the
LOAD extension command to load an arbitrary shared library that will execute its initialization function.
The PostgreSQL developers have released updated versions of PostgreSQL 8.0, 7.4, 7.3, and 7.2.
ncpfs allows the mounting of NetWare server volumes under Linux and printing to NetWare print queues, and spooling NetWare print queues to the Linux printing system. Multiple vulnerabilities have been announced that can be used by a local attacker to gain root permissions, or be exploited by a remote NetWare host to compromise the local machine. These vulnerabilities include buffer overflows in
ncpmap using the
-T command line option;
nwclient.c does not properly drop its root permissions when executing NetWare client functions; and a buffer overflow in
ncplogin may be exploitable by a remote NetWare server.
ncpfs should upgrade to version 2.2.6 or newer as soon as possible, or should watch their vendors for a repaired version. Repaired packages have been released for Mandrake Linux 10.0, 10.1, Corporate Server 2.1, and Corporate Server 3.0; and Gentoo Linux.
The free open source web proxy cache server Squid runs on Unix systems and has many features, including proxying and caching of HTTP, FTP, and other URL types, proxying for SSL, transparent caching, extensive access controls, HTTP server acceleration, SNMP, and caching of DNS queries. Multiple problems have been announced in Squid, including: authenticated users can bypass access control using a username starting with or trailing a space, several cache poisoning attacks using malformed HTML headers, a cache poisoning attack based on an HTTP response splitting attack, and a buffer overflow vulnerability in code located in
wccp.c that may be exploitable by a remote attacker to execute arbitrary code on the server with the permissions of the user account running Squid. Versions of Squid earlier than 2.5.7-r5 are reported to be vulnerable to these problems.
All users of Squid should upgrade to version 2.5.7-r5 or newer as soon as possible.
cpio, an archiving utility, is reported to create files with incorrect permissions (not properly using the user's
umask) when it creates output files with the
-F command line parameters.
Users should watch their vendors for an updated version of
cpio and should verify that any archive files that have been created have the correct file permissions.
Also in Security Alerts:
UW IMAP is the University of Washington IMAP daemon that supports both POP3 and IMAP. A bug in the UW IMAP code that handles CRAM-MD5 (the "Challenge-Response Authentication Mechanism with MD5") authentication can be exploited by a remote attacker to authenticate to the IMAP daemon as any user of the system if CRAM-MD5 based authentication is configured.
All users of UW IMAP should upgrade to version imap-2004b or newer as soon as possible.
ChBg, a highly configurable utility for changing the background picture under X11, is vulnerable to a buffer overflow in the
simplify_path function in
config.c that can be exploited through a carefully created ChBg scenario file. If a victim uses this scenario file, it will cause a buffer overflow and execute arbitrary code. Version 1.5 and earlier of ChBg are vulnerable to this buffer overflow.
Users should watch their vendors for an update of ChBg and should avoid using scenario files from untrusted sources. It is not clear if the author of ChBg is still maintaining it, as the last update on its SourceForge page was in 2001.
FireHOL is an
iptables rule generator. It is vulnerable to a temporary-file symbolic-link race condition that may be exploitable by a local attacker to overwrite arbitrary files on the system with the permission of the user running FireHOL.
It is recommended that all users of FireHol upgrade to FireHOL R5 v1.226 or newer as soon as possible.
Clam AntiVirus (or ClamAV) can be bypassed by using a base64-encoded image. This problem affects ClamAV version 0.80 and earlier. In addition, a carefully crafted .zip file can be used by a remote attacker to crash the
Users should upgrade to ClamAV 0.81.
f2c, a Fortran-to-C translator, is reported to be vulnerable to an attack based on a temporary-file symbolic-link race condition that may be exploitable by a local attacker to overwrite files on the system with the permissions of the victim.
Affected users should watch for an updated version of
f2c. Gentoo Linux has released a repaired version.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to LinuxDevCenter.com
Copyright © 2009 O'Reilly Media, Inc.