Buffer Overflow in OpenServer's Mana09/10/2001
Welcome to Security Alerts, an overview of recent Unix and open source security advisories. In this column, we look at a buffer overflow in OpenServer's
mana; symbolic link race conditions in Solaris'
patchadd and the Netscape 6.01a installation scripts; and problems in ProFTPd, Conectiva Linux's
mod_auth_mysql, Directory Manager, Taylor UUCP,
screen, PHProjekt, and Red Hat's
Red Hat lpd
ProFTPd Reverse DNS
Conectiva Linux tcltk
Solaris ksh / patchadd
Red Hat systems that are running the line printer daemon
lpd without any access controls and that have the
tetex-dvips packages installed are vulnerable to an attack that can be used to execute arbitrary commands as the
lp user. Red Hat Linux 7.0 has been reported vulnerable, but Red Hat Linux 7.1 has been reported not vulnerable.
It has been reported that a workaround for this vulnerability is to change, in the file
/usr/lib/rhs/rhs-printfilters/dvi-to-ps.fpi, the line
dvips -f $DVIPS_OPTIONS < $TMP_FILE to
dvips -R -f $DVIPS_OPTIONS < $TMP_FILE. Users should watch Red Hat for a patch for this problem.
The Taylor UUCP package has problems with argument handling that an attacker can exploit to gain the permissions of the uucp user and group. Once the attacker has uucp user and group permissions, they can use this access to gain root, create files, or conduct denial-of-service attacks against the system.
Users of Taylor UUCP should watch their vendor for an updated package. Systems that do not use UUCP should remove the uucp packages.
When ProFTPd is configured to use reverse DNS (
UseReverseDNS is set in the configuration file), it does not verify the host names returned. It then may be vulnerable to an attacker spoofing, in the log file, the host name they are connecting from, or bypassing access control lists.
Users of ProFTPd should not use reverse DNS and should instead record the IP addresses of connecting hosts in their log files. Users should also consider running ProFTPd using TCP wrappers, with its paranoid DNS checking, or using
expect applications shipped with Conectiva Linux are configured to look for libraries in a world-writable directory. An attacker can use this vulnerability to execute arbitrary code by placing modified libraries in the world-writable directory that will be executed when a user runs a
The Conectiva Linux security team recommends that users upgrade their
tcltk packages for versions 6.0 and 7.0 of Conectiva Linux.
dump utility supplied with NetBSD does not drop its tty group membership before performing actions that a local attacker can exploit to execute arbitrary commands with the permissions of the tty group. It has been reported that NetBSD 1.5.2 is not vulnerable.
It is recommended that
dump be upgraded or patched as soon as possible.
mailman mailing list manager has been reported to have a problem that can be used to gain access to the administrative interface for a mailing list, and one that can be used by the list administrator to retrieve the plain text of a users mailing list password.
mailman should upgrade to version 2.0.6 or newer.
mod_auth_mysql, a module for the Apache Web server that allows users to authenticate against a MySQL database, has a vulnerability that can be used by an attacker to modify the
SELECT statement that is sent to the MySQL database.
mod_auth_mysql should upgrade the module and then restart Apache.
The LDAP directory tool Directory Manager has a vulnerability that can be used to execute arbitrary commands with the permissions of the user running the Web server.
Users should upgrade Directory Manager to version 0.91 or newer as soon as possible.
screen, a full-screen window manager, has a vulnerability that can be used by a local attacker to gain root if screen has been installed set user id root and if there is a directory below
screen requires installation as set user id root to provide several features, such as multi-attached sessions.
It is recommended that
screen be upgraded to version 3.9.10 or newer as soon as possible, and in most cases should not be installed set user id root.
mana utility (
/usr/internet/admin/mana/mana) in OpenServer has a buffer overflow that can be used to gain root access. This buffer overflow is reported to affect OpenServer 5.0.6a and earlier.
Caldera recommends that users upgrade
mana as soon as possible.
PHProjekt, a groupware application written in PHP, has a vulnerability that can be used to read, change, and delete any other user's content.
Users of PHProjekt should upgrade to version 2.4a.
An exploit has been released for an old symbolic link race condition problem in the Solaris
ksh shell that affects the
patchadd utility. It is reported to successfully exploit the race condition on a Solaris 2.8 Sparc with a current patch cluster applied.
Users should watch Sun for a patch. Until a patch has been released, it is recommended that users either shutdown and then boot the system into single user mode with
boot -s or change to single user mode with
init S and ensure that there are no dangerous files in the
/tmp directory before applying any patches.
The installation of Netscape 6.01a has a symbolic link race condition vulnerability that can be used by an attacker to overwrite arbitrary files with the permissions of the user installing Netscape (in many cases root).
Users should consider shutting the system down to single user mode before installing Netscape.
Read more Security Alerts columns.
Return to the Linux DevCenter.