OpenSSH 3.2.2 Released
Welcome to Security Alerts, an overview of recent Unix and open source
security advisories. In this column, we look at a new version of
OpenSSH that corrects several security problems; buffer overflows in
Wu-imapd, Solaris' lbxproxy, tcpdump, mpg321, lukemftp, and OpenServer
sar; and problems in bzip2, FreeBSD's k5su, SuSE's shadow/pam-modules utilities,
Red Hat's XML Extras Mozilla packages, and the Quake II server.
OpenSSH 3.2.2 has been released. This new version repairs a
collection of security problems, including buffer overflows in
Kerberos/AFS token passing and the Kerberos client code. In addition,
it no longer automatically enables Kerberos/AFS; will only
accept RSA keys with a minimum size; has experimental support for
privilege separation; and improves support for smartcards, Kerberos,
older sftp servers, and importing old DSA keys. Users of OpenSSH are
encouraged to upgrade.
Some versions of the Wu-imapd IMAP daemon created and distributed by Washington University are vulnerable to a buffer overflow that can be exploited by a remote attacker (with an account on the system) to execute arbitrary code with the permissions of the attacker's account. Systems affected by this attack would, in the most part, be those that offer email accounts but do not allow their users shell access. Only versions of Wu-imapd that are compiled with legacy RFC 1730 support are vulnerable. The precompiled Wu-imapd daemons distributed by the University of Washington for the previous year are not vulnerable.
Affected users should watch their vendor for an updated version or apply the patch released by the University of Washington.
bzip2, a file-compression utility, is vulnerable to a race condition
during the time that it creates a file and then sets its permissions.
The race conditon can, under some circumstances, allow a local user to
read files that they should not have permission to read.
Users should watch their vendor for an repaired version.
The lbxproxy application under Sun Solaris is vulnerable to a buffer
overflow that can be exploited by a local attacker to execute
arbitrary code. Under Solaris x86, lbxproxy is installed with a set
group id bit; exploiting this buffer overflow will result in
increased permissions. The Sparc version of Solaris does not install lbxproxy with any set user id or group id bits, and exploiting this
vulnerability on that platform will not grant any additional
permissions.
|
Related Reading 
SSH, The Secure Shell: The Definitive Guide |
It has been reported that patch 108653-41 repairs this vulnerability for Solaris 8 x86, that 108652-51 repairs the Sparc version of Solaris 8, and that there are patches available for Solaris 7.
The k5su utility, like the su utility, is used to switch to other user
accounts but uses Kerberos 5 or the passwd file to authenticate. The
k5su utility does not honor the wheel group restrictions when switching
to the root account and does not have some of the features of su, such
as checking for expired passwords, login classes, and a shell in
/etc/shells. These problems can create a situation where restrictions
placed on users are not being enforced.
Systems that do not need the functionality of k5su, or where the
administrators find the risks unacceptable, should remove the set user
id bit from k5su. Future versions of FreeBSD will install k5su if
requested, but will not turn on the set user id bit by default.
Mandrake has released a new tcpdump package that fixes several buffer
overflows that can be exploited by an attacker to crash tcpdump and
possibly execute arbitrary code.
Affected users should upgrade as soon as possible.
mpg321, a command-line MP3 player that was written as a replacement
for mpg123, is vulnerable to a buffer overflow in the network
streaming code that may be used by a remote attacker to execute
arbitrary code. Versions of mpg321 before 0.2.9 are reported to be
vulnerable.
It is recommended that users upgrade to mpg321 version 0.2.10 or newer
as soon as possible.
lukemftp, an FTP client, has a buffer overflow in the code that
handles the PASV command from an FTP server. This buffer overflow can
be exploited by an attacker that controls a remote FTP server to
execute code on the client machine with the permissions of the user
executing lukemftp.
Users should watch their vendor for a repaired version of lukemftp.
SuSE Linux has released updated packages that fix this problem.
There are bugs in the shadow/pam-modules utilities that can be
exploited by a local attacker, under some conditions, to truncate the
passwd or shadow file and, in the worst case, obtain root access. These
bugs are reported to affect SuSE Linux version 8.0.
SuSE has released updated shadow and pam-modules packages and recommends that they be applied as soon as possible.
There is a component in the XML Extras package of Mozilla 0.9.9 and earlier that can be abused by a remote attacker to read arbitrary files and directories when Mozilla is used to view a specially-crafted Web page.
Affected users should upgrade to the updated packages.
A vulnerability has been announced in Quake II servers that can be exploited to obtain sensitive information that can then be used to access information (such as directory listings) and execute any server command, some of which will create files on the server.
Users should watch for an update to the Quake II server that repairs this problem.
The sar command under OpenServer 5.0.5 is vulnerable to a buffer
overflow in the -o command line parameter. This vulnerability also
affects sadc, cpusar, and mpsar.
Caldera has released updated packages and recommend that users upgrade.
Noel Davis works as a Unix system administrator. He first started using Unix in 1994 when he purchased a copy of Yggdrasil Plug-and-play Linux Summer 1994 Release.
Read more Security Alerts columns.
Return to the Linux DevCenter.
Copyright © 2009 O'Reilly Media, Inc.