Welcome to Security Alerts, an overview of recent Unix and open source security advisories.
In this column, we look at a large set of
problems in BIND; buffer overflows in KDE's LISA,
FreeBSD resolver code, Windowmaker, Tiny HTTPd, and Zeroo HTTP Server;
and problems in Lib HTTPd, KDE's
rlogin KIO code, Kgpg,
Squid, and UnixWare and OpenUnix's
- Lib HTTPd
- KDE telnet and rlogin
- FreeBSD Resolver Code
- Tiny HTTPd
- Zeroo HTTP Server
- UnixWare and OpenUnix talkd
BIND has a collection of vulnerabilities that can be used by a remote attacker to execute arbitrary code and that can be used in a denial of service attack against the name server. All versions of BIND earlier than 9.2.1, 8.3.4, 8.2.7, and 4.9.11 are affected..
ISC recommends that users upgrade to version 9.2.1 or newer of BIND as soon as possible. Users who can not upgrade to 9.2.1 can upgrade to BIND versions 8.3.4, 8.2.7, or 4.9.11.
KDE's LISA is a LAN browsing utility package. LISA is vulnerable to buffer overflows that can be used by an attacker to execute code with the permissions that LISA is running under (often root). Additionally under some conditions an attacker may be able to access a users account using a bug in LISA.
Users should upgrade to KDE 3.0.5 , apply the appropriate patches, disable LISA, and remove its set user id bits, or remove LISA from the system.
Lib HTTPd, a library implementing web server capabilities, contains a bug that can be exploited to execute arbitrary code on the server with the permissions of the user running the application linked to the library. A script to automate the exploitation of this bug has been released.
Users should watch for an update to Lib HTTPd and should consider disabling applications built with it until they have been recompiled using a repaired library.
It has been reported that there are several buffer overflows in the
libpng library that can be exploited in a denial of service attack
against any application linked to the library and may be exploitable
to execute code.
Affected users should watch their vendor for updated packages.
masqmail is a mail transfer agent designed for machines without a
continuous Internet connection.
masqmail has buffer overflows that
can be exploited under some circumstances to execute code with root
Users should upgrade to a repaired version as soon as possible.
A flaw in the implementation of the KIO subsystem of KDE 2.1 and higher and KDE 3 to 3.0.4 can be exploited using a specially contrived URL in a KIO enabled application, HTML email, or HTML page to execute arbitrary commands on the system with the users permissions.
It is recommended that KDE 3 users upgrade to KDE 3.0.5 or apply
patches to KDE 3.0.4. KDE 2 users unable to upgrade to KDE 3 should
rlogin KIO protocols.
The resolver code in FreeBSD is used to query host names and IP addresses. It is vulnerable to several buffer overflows that may be exploitable in a remote denial of service attack.
Users should upgrade their system to FreeBSD 4.7-RELEASE or 4.7-STABLE. Users that choose not to upgrade should apply the appropriate patches and recompile any affected statically linked applications.
Windowmaker, a popular X Window manager, has a buffer overflow in the code that handles showing images. Exploiting this buffer overflow could under some circumstances be used to execute code with the permissions of the user running Windowmaker.
It is recommended that users upgrade to Windowmaker version 0.80.2 or the CVS version as soon as possible.
Tiny HTTPd, a small web server, is vulnerable to a buffer overflow that can be used to execute code on the server with the permissions of the user running Tiny HTTPd and is also vulnerable to a bug that can be used to view arbitrary files on the server.
The last update to the sourceforge page for Tiny HTTPd was in April 2001. Users should consider looking for a web server that is being actively maintained.
A bug in Kgpg (a frontend to GnuPG) results in the creation of wizard generated secret keys that have empty passphrases. An empty passphrase in a secret key would allow any user that has access to your key file or physical access to the computer they are stored on to decrypt any file without the use of a key phrase.
It is possible to edit the secret keys and add a passphrase but it is recommended that any wizard generated keys be deleted and replaced. Users should also upgrade Kgpg to version 0.9.
A number of security problems have been repaired in the web caching software Squid. Code that has been repaired includes code that parses FTP directory listings into HTML pages, Gopher client code, code dealing with the MSNT auth helper, code that deals with FTP data connections, and code that forwards proxy authentication credentials.
The Squid team recommends that users upgrade to version 2.4.STABLE7 of Squid.
The Zeroo HTTP server is vulnerable to a buffer overflow that can be used by a remote attacker to execute arbitrary code with the permissions of the user running the web server. A script to automate the exploitation of this vulnerability has been released.
Users should watch for an update that repairs this vulnerability.
talk daemon supplied with UnixWare 7.1.1 and OpenUnix 8.0.0 is
vulnerable to a remotely exploitable format string bug.
Caldera recommends that users upgrade to the latest
Read more Security Alerts columns.
Return to the Linux DevCenter.